Framebust out of webviews

[svgeesus]

Native apps typically open links to websites in a webview. This means that the app can track user behavior, including injecting script into the displayed third-party website. Users would likely prefer to visit the link in the native browser.

There is a similarity to the way websites would used <frame> in the early days of the web to include, and control, third party websites. An existing solution, the X-Frame-Options HTTP header, was used to enable websites to break out of such frames.

The same, existing solution should be enabled on webviews so that websites could express the desire to be viewed in a browser.

This was suggested by Adrian Holovaty in Let websites framebust out of native apps

[svgeesus]

The Content Security Policy frame-ancestors could also be used.

[romainmenke]

A tool to list what gets injected via these webviews : https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

[muodov]

FYI, this is also being discussed in the WebView CG, https://github.com/WebView-CG/usage-and-challenges/issues/39 being the most relevant thread (but this issue is related to several others)