417: Iframe Allow Attribute Saga

417: Iframe Allow Attribute Saga

From CodePen Radio by CodePen Blog

November 18, 2025

About this episode

The episode discusses a recent Google Chrome update that affected CodePen embeds, leading to JavaScript errors and the subsequent resolution of the issue.

There was a day not long ago where a Google Chrome browser update left any page with a CodePen Embed on it throwing a whole big pile of red JavaScript errors in the console. Not ideal, obviously. The change was related to how the browser handles allow attributes on iframes (i.e. <iframe allow="...">). CodePen was calculating the appropriate values inside an iframe for a nested iframe. That must have been a security issue of sorts, as now those values need to be present on the outside iframe as well. We documented all this in a blog post so hopefully we could get some attention from Chrome on this, and for other browser makers as well since it affects all of us. And I posted it on the ol' social media: Huge thanks to Bramus Van Damme who saw this, triaged it at Chrome, and had a resolution within a day: I think the patch is a great change so hats off to everyone involved for getting it done so quickly. It's already in Canary and don't really know when it'll get the stable but that sure will be good. It follows how Safari is doing things where values that aren't understood are just ignored (which we think is fine and inline with how HTML normally works). Fortunately we were…

Topics covered

  • iframe
  • JavaScript errors
  • browser updates
  • security
  • CodePen embeds
  • web development

Keywords

  • iframe allow attribute
  • CodePen
  • JavaScript errors
  • Chrome update
  • web security
  • browser compatibility

Mentioned in this episode

Organizations: Google Chrome, CodePen, Safari

More episodes of CodePen Radio

Explore listener stats, chart rankings, contacts and more on the CodePen Radio podcast page.