The Controlled Frame API exposes a new <controlledframe> tag to Isolated Web Apps that can be used to embed any content, and provides more control over embedded content than other embedding methods like <iframe>, including the power to override opt-out mechanisms like X-Frame-Options and CSP. It is based on the Chrome App WebView API, and provides similar functionality as native WebView APIs such as script injection and network request interception and modification. Due to the level of control this gives a parent frame over embedded content, a different storage partition is used to avoid leaking private data from the user’s normal browsing context. Because of how powerful this API is, it is only exposed to Isolated Web Apps, never to content on normal web pages.
There are Chromium-specific WPT-like tests that we’ll move to Chromium’s wpt_internal directory once our infrastructure supports running WPTs within Isolated Web Apps.
Organization/project driving the specification: Google
Multi-stakeholder support:
Mozilla comments: N/A
WebKit comments: N/A
This API only makes sense within the context of an environment like Isolated Web Apps. The standards position for that proposal was negative from Mozilla, and no response from WebKit. Without the IWA context, we wouldn’t recommend supporting an API like this.
The group where the work on this specification is currently being done: WICG
The group where standardization of this work is intended to be done (if different from the current group): WICG
Major unresolved issues with or opposition to this specification: Some functionality is only covered by high-level normative text. More details for these sections are currently being written.
OpenedMar 7, 2025
こんにちは TAG-さん!
I'm requesting a TAG review of Controlled Frame.
The Controlled Frame API exposes a new
<controlledframe>tag to Isolated Web Apps that can be used to embed any content, and provides more control over embedded content than other embedding methods like<iframe>, including the power to override opt-out mechanisms likeX-Frame-Optionsand CSP. It is based on the Chrome App WebView API, and provides similar functionality as native WebView APIs such as script injection and network request interception and modification. Due to the level of control this gives a parent frame over embedded content, a different storage partition is used to avoid leaking private data from the user’s normal browsing context. Because of how powerful this API is, it is only exposed to Isolated Web Apps, never to content on normal web pages.Further details: