Reminder: Sandboxing for all iframes part 2

NB: This change has been postponed. Learn more here.

We previously announced part 1 of sandboxing for all iframes and are getting closer to implementing part 2 on June 28th, 2023! This involves limiting relevant apps’ actions and only allowing the following directives in our iframes:

  • allow-forms: Allows the page to submit forms. The form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server, or closing a dialog if this keyword is not used.
  • allow-downloads: Allows downloading files through an <a> or <area> element with the download attribute and through the navigation that leads to a file download. This works regardless of whether the user clicked on the link or JS code initiated it without user interaction.
  • allow-presentation: Allows embedders to have control over whether an iframe can start a presentation session.
  • allow-same-origin: The resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs) if this token is not used.
  • allow-scripts: Allows the page to run scripts (but not create pop-up windows). This operation is not allowed if this keyword is not used.

We recommend testing your app in the sandboxed environment with the new restrictions to ensure nothing breaks. You can do so by adding the _apps_sandbox=v2 query param to a monday URL. If something breaks and there’s no workaround, please complete a support request so we can find a resolution.


We recently added an SDK method that allows you to open links in a new tab for view apps! :cowboy_hat_face:

This method is particularly useful for apps impacted by the upcoming sandboxing changes. Check out our SDK documentation for more information about the method, its parameters, and a code sample :page_facing_up:

1 Like

@rachelatmonday I assume that the mentioned SDK method breaks the opened link out of any sandboxing constraints that it would otherwise inherit.

Is this correct?

Also, I’m guessing that the documented example…

monday.execute("openLinkInTab", { url: "" });

…should be prefixed with https:// like so:

monday.execute("openLinkInTab", { url: "" });

Correct, @dvdsmpsn!

You can use this method to open links, thus avoiding those sandboxing constraints :smiley: the original five directives will remain the same.

Also, thanks for the suggestion. I’ve updated the docs!


Hey @rachelatmonday, just added the new open link method from the SDK to our WorkDoc action and the following error is triggered:

Uncaught (in promise) Error: "openLinkInTab" execute command isn't available or supported for this app feature type

I’ve tested our app in production (which use with the _apps_sandbox=v2 flag and indeed the call is blocked by the iframe restriction.

So, what are our options before the June 28th? Do you plan to make this SDK method compatible (and maybe others too) with the WorkDoc action feature?

Hi @clement.devdevils,

Thanks for bringing this up! I’ve reached out to our devs to get some answers, so I’ll get back to you as soon as I have a solution for you :smiley:

1 Like

@clement.devdevils our devs have found the issue and are working on a fix right now. I’ll update when it is ready to go!

@clement.devdevils the fix was deployed today. Please reach out again if you have any other questions :pray:

Just tested and it works, thanks!

1 Like

We are glad that is the case @clement.devdevils !

1 Like

Hi @rachelatmonday, @Matias.Monday.

We have a series of published apps that could be impacted by this change (Embedders). Some of them require the “allow-popups” directive to function properly. Unfortunately, some of the solutions suggested in this post cannot be applied in our case as we don’t have control over the underlying application. What should we do in this situation?

Hi @alistefano,

Can you send me the name of the impacted app(s) where the SDK won’t work?

1 Like

Does this update have anything to do with refusing to connect when in an iframe?

No - this only applies to apps embedded inside a monday iframe. This change has also not been activated yet – see this post for more details.