Update to sandboxing for all iframes part 2

Part 2 of sandboxing for all iframes will now be implemented on July 5th, 2023 to give developers more time to test their apps against the new restrictions. Please note that the original directives will remain the same:

  • allow-forms: Allows the page to submit forms. The form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server, or closing a dialog if this keyword is not used.
  • allow-downloads: Allows downloading files through an <a> or <area> element with the download attribute and through the navigation that leads to a file download. This works regardless of whether the user clicked on the link or JS code initiated it without user interaction.
  • allow-presentation: Allows embedders to have control over whether an iframe can start a presentation session.
  • allow-same-origin: The resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs) if this token is not used.
  • allow-scripts: Allows the page to run scripts (but not create pop-up windows). This operation is not allowed if this keyword is not used.

If you need to open a link in a new tab, you can use the new monday.execute("openLinkInTab") method.

We recommend testing your app in the sandboxed environment with the new restrictions to ensure nothing breaks. You can do so by adding the _apps_sandbox=v2 query param to a monday URL. If something breaks and there’s no workaround, please complete a support request so we can find a resolution.