Embedded Client Apps: Deprecating automatic support for the `allow-downloads` sandbox option

Announcements
1

Category: Embedded Client Apps (Developers, Vendors, and Administrators)

Summary: In June of 2020, Chrome began enforcing a new iframe sandbox flag allow-downloads. This means that downloads are blocked by sandboxed iframes unless opted in by this sandbox flag. At the time, this was a breaking change and Chrome was the first browser to support the switch. In order to avoid disruption to Embedded Client Apps users and to guarantee consistency amongst browsers, we began automatically applying this sandbox flag to all Embedded Client Apps.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#browser_compatibility

Context: Since making this change, Chrome, Edge, and Firefox have all released support for this sandbox flag. Additionally, we have added the ability to manually opt into this sandbox on a per-app basis. As such, we will be removing the automatic insertion of the allow-downloads sandbox flag and requiring that App vendors or Administrators manually opt into this feature, when needed.

Impact: Upon removal of the automatic insertion of the sandbox flags, downloads from within Embedded Client Applications will be blocked unless explicitly allowed.

Ad-hoc Embedded Client App Developers/Administrators:

Assess if your Embedded Client App needs to support downloads. If needed, go to Admin -> Integrations. Open your app definition, navigate to the Configuration tab, and add the allow-downloads option to the Iframe Sandbox Options field.

Premium App Vendor/Partners:

Assess if your Premium App needs to support downloads. If needed, take the appropriate action based on your sandbox option configuration type:

Statically Defined Sandbox Options:

Contact zachary.hinkle@genesys.com to have your static sandbox options updated.

Dynamically Defined Sandbox Options:

  • We have already updated your configuration to support allow-downloads.
  • Please reach out to your customers to ensure they have updated their app configuration to avoid download regressions.
  • If you dynamically create instances of your app, you should ensure your code is adding the allow-downloads flag.
  • Finally, you may want to consider statically defining your sandbox options. This puts you in full control of you app's sandbox options and will ease future changes and migrations. Again, please reach out to Zach Hinkle if you would like to explore this option.

Date of Change: On 5/5/2021, we will disable the automatic insertion of the allow-downloads sandbox flag for all apps. At this point, apps will need to explicitly opt into this flag to allow downloads initiated from Embedded Client Apps. If explicit permission is not granted, the download will be blocked by the browser and/or the Genesys Cloud Desktop App.

Impacted APIs: This change primarily affects App configuration and is not an API change per se.

If working with integrations dynamically, the sandbox can be configured via the following endpoint:
PUT /api/v2/integrations/{integrationId}/config/current

References:

2

Justin, can we request to activate this change before 5/5/2021 in preprod environment organizations to test and verify that everything will work correctly after the change?

3

@javier.delolmo .. unfortunately, we do not have a mechanism to disable this for particular orgs at this time. We normally have this capability when rolling out new features, but this is a bit of a special case.

But, I definitely appreciate your desire to test this out ahead of the change. Are you trying to determine if your app needs this flag or if it will work upon our removal of our automatic insertion?

If it's the later and you're confident you need the allow-downloads flag, go ahead and update your app's sandbox options. We will not duplicate the sandbox option and you can be sure your app will work when we remove the automatic support.

If you are trying to determine if your app needs this flag, you should first audit your app to see if users can download content (via direct link or js). If this is one of your features, you could use the browser DevTools to manually modify the sandbox options and remove allow-downloads. Another option would be to create a tester page that iframes in your app. Using either of these mechanisms, you should be able to test if your app requires this flag.

When we initially tested this, we created a repo for testing. You could adapt this for local testing if you'd like. You can use something like http-server to serve this with node.

Let me know if this doesn't help or if you need something more robust to ensure your apps will work on 5/5. We're here to help.

4

Thanks Justin, we currently have an iframe integration with downloads and we want to test if after 5/5 everything will continue working well, but don't worry, we are going to activate the flag and on 5/5 we will do tests to verify that everything is still working like now. How will we know that this change has been applied? Will genesys inform it in the release notes of that day?.
Regards.

5

We generally toggle behavior off hours so this should be available SOB on 5/5. Since it's a toggle, it won't appear in the formal release notes.

Sounds like you should be fine if you pre-apply the flag before the 5th. But, please reach out if you encounter any issues. You can reach out to support or me directly.

6

Great! Thanks Justin

1 Like
7

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.