Deprecating allow-top-navigation and allow-top-navigation-by-user-activation directives

On June 1st, 2024, we will remove the allow-top-navigation and allow-top-navigation-by-user-activation directives from iframes to increase app security.

These directives enable apps to redirect customers from their monday account to another website, which poses a security risk for many customers.

Here are good and bad examples of what’s currently allowed:

  // Open link in a new tab - GOOD
  window.open("https://www.mozilla.org/", "mozillaTab");

  // Open link in a new window - GOOD
  window.open("https://www.mozilla.org/",'name','height=300,width=650,screenX=400,screenY=350')

  // Redirect the user outside of monday - BAD
  window.top.location.href = "https://www.mozilla.org/";

After deprecating these directives, any links utilizing this functionality won’t work but won’t impact app functionality. This update will only disable window.top.location.href (see example below):

window.top.location.href = "https://www.mozilla.org/";

If you need to direct customers to an external link from the app, you can still do so by opening it in a new tab using the SDK or the window.open method.

window.open("https://www.mozilla.org/", "mozillaTab");

Got questions? Drop them in the thread below

@rachelatmonday if I’m doing the OAuth dance with an external provider, I’d prefer to open a new window of a specific dimension without address bar as I currently can.

I’m assuming that this will remain as it’s still just window.open. Is this the case?

Hey @dvdsmpsn , yeah - window.open will keep on working

Hi! Does this affect to window.location.href too?

Thanks!

Hi @MiguelAngel , it does not, it will only disable window.top.location.href

Great, thank you @gregra for the clarification!