From 2102fc50d84349b54408d185caf4480a1dcb69c9 Mon Sep 17 00:00:00 2001
From: Jannis Rautenstrauch <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 13:29:03 +0100
Subject: [PATCH 01/14] Update iframe_attributes_usage description

---
 sql/2024/security/iframe_attributes_usage.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sql/2024/security/iframe_attributes_usage.sql b/sql/2024/security/iframe_attributes_usage.sql
index 9b64593ba90..c8894845af8 100644
--- a/sql/2024/security/iframe_attributes_usage.sql
+++ b/sql/2024/security/iframe_attributes_usage.sql
@@ -1,6 +1,6 @@
 #standardSQL
 # Section: Content Inclusion - Iframe Sandbox/Permissions Policy
-# Question: How often are the allow and sandbox attributes used on iframes? Both per page and over all iframe elements
+# Question: How often are the allow and sandbox attributes used on iframes? Both per page (used in at least one iframe on a page) and over all iframe elements
 SELECT
   client,
   date,

From e14a9f0961fcab904d71d13219832c42494b9e97 Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:02:25 +0100
Subject: [PATCH 02/14] Fix total_iframes in iframe_attributes_usage.sql

---
 sql/2024/security/iframe_attributes_usage.sql | 24 +++++++++++++++----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/sql/2024/security/iframe_attributes_usage.sql b/sql/2024/security/iframe_attributes_usage.sql
index c8894845af8..7cd9d7bf54e 100644
--- a/sql/2024/security/iframe_attributes_usage.sql
+++ b/sql/2024/security/iframe_attributes_usage.sql
@@ -1,16 +1,29 @@
 #standardSQL
 # Section: Content Inclusion - Iframe Sandbox/Permissions Policy
 # Question: How often are the allow and sandbox attributes used on iframes? Both per page (used in at least one iframe on a page) and over all iframe elements
+WITH total_iframe_count AS (
 SELECT
   client,
   date,
-  COUNT(0) AS total_iframes,
+  SUM(SAFE_CAST(JSON_EXTRACT(custom_metrics, '$.num_iframes') AS INT64)) AS total_iframes
+  FROM
+    `httparchive.all.pages`
+  WHERE
+    (date = '2022-06-01' OR date = '2023-06-01' OR date = '2023-12-01' OR date = '2024-03-01' OR date = '2024-04-01' OR date = '2024-05-01' OR date = '2024-06-01') AND
+    is_root_page
+GROUP BY client, date
+)
+
+SELECT
+  client,
+  date,
+  total_iframes,
   COUNTIF(allow IS NOT NULL) AS freq_allow,
-  COUNTIF(allow IS NOT NULL) / COUNT(0) AS pct_allow_frames,
+  COUNTIF(allow IS NOT NULL) / total_iframes AS pct_allow_frames,
   COUNTIF(sandbox IS NOT NULL) AS freq_sandbox,
-  COUNTIF(sandbox IS NOT NULL) / COUNT(0) AS pct_sandbox_frames,
+  COUNTIF(sandbox IS NOT NULL) / total_iframes AS pct_sandbox_frames,
   COUNTIF(allow IS NOT NULL AND sandbox IS NOT NULL) AS freq_both_frames,
-  COUNTIF(allow IS NOT NULL AND sandbox IS NOT NULL) / COUNT(0) AS pct_both_frames,
+  COUNTIF(allow IS NOT NULL AND sandbox IS NOT NULL) / total_iframes AS pct_both_frames,
   COUNT(DISTINCT url) AS total_urls,
   COUNT(DISTINCT IF(allow IS NOT NULL, url, NULL)) AS allow_freq_urls,
   COUNT(DISTINCT IF(allow IS NOT NULL, url, NULL)) / COUNT(DISTINCT url) AS allow_pct_urls,
@@ -36,8 +49,9 @@ FROM (
       is_root_page
   )
   LEFT JOIN UNNEST(iframeAttrs) AS iframeAttr
-  )
+  ) JOIN total_iframe_count USING (client, date)
 GROUP BY
+  total_iframes,
   client,
   date
 ORDER BY

From 9886bc46adf8bf07f0f0f525736be4bd437257bb Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:03:12 +0100
Subject: [PATCH 03/14] Fix total pages in meta_csp_disallowed_directives.sql

---
 .../meta_csp_disallowed_directives.sql        | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/sql/2024/security/meta_csp_disallowed_directives.sql b/sql/2024/security/meta_csp_disallowed_directives.sql
index 7816a584cd9..9aea88eeab9 100644
--- a/sql/2024/security/meta_csp_disallowed_directives.sql
+++ b/sql/2024/security/meta_csp_disallowed_directives.sql
@@ -2,9 +2,24 @@
 # Section: Security misconfigurations - CSP directives that are ignored in <meta>
 # Question: How many pages use invalid CSP directives in <meta>?
 # Note: uses the old payload._almanac metric location instead of custom_metrics.almanac (also the meta-nodes metric is in the generic almanac.js custom metric)
+WITH totals AS (
+  SELECT
+    client,
+    COUNT(0) AS total_pages
+  FROM
+    `httparchive.all.requests`
+  WHERE
+    date = '2024-06-01' AND
+    is_root_page
+  GROUP BY
+    client
+)
+
+
 SELECT
   client,
-  COUNT(DISTINCT page) AS total_pages,
+  total_pages,
+  COUNT(DISTINCT page) AS total_pages_with_csp_meta,
   COUNT(CASE WHEN REGEXP_CONTAINS(LOWER(JSON_VALUE(meta_node, '$.content')), r'(?i)frame-ancestors') THEN page END) AS count_frame_ancestors,
   COUNT(CASE WHEN REGEXP_CONTAINS(LOWER(JSON_VALUE(meta_node, '$.content')), r'(?i)frame-ancestors') THEN page END) / COUNT(DISTINCT page) AS pct_frame_ancestors,
   COUNT(CASE WHEN REGEXP_CONTAINS(LOWER(JSON_VALUE(meta_node, '$.content')), r'(?i)sandbox( allow-[a-z]+)*;') THEN page END) AS count_sandbox,
@@ -22,7 +37,9 @@ FROM (
 ),
 UNNEST(JSON_QUERY_ARRAY(metrics, '$.meta-nodes.nodes')) meta_node,
 UNNEST(['Content-Security-Policy']) AS policy
+JOIN totals using (client)
 WHERE
   LOWER(JSON_VALUE(meta_node, '$.http-equiv')) = 'content-security-policy' OR LOWER(JSON_VALUE(meta_node, '$.name')) = 'content-security-policy'
 GROUP BY
-  client
+  client,
+  total_pages

From f9ac5de7476af716c7f9b40a99e67ed69bdc2244 Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:03:40 +0100
Subject: [PATCH 04/14] Clarify in 3 queries that the total is not global

---
 sql/2024/security/csp_number_of_allowed_hosts.sql     | 5 +++--
 sql/2024/security/csp_script_source_list_keywords.sql | 4 ++--
 sql/2024/security/iframe_attribute_popular_hosts.sql  | 8 ++++----
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/sql/2024/security/csp_number_of_allowed_hosts.sql b/sql/2024/security/csp_number_of_allowed_hosts.sql
index 3ca4f68b5e9..8ead4c5cfb1 100644
--- a/sql/2024/security/csp_number_of_allowed_hosts.sql
+++ b/sql/2024/security/csp_number_of_allowed_hosts.sql
@@ -1,6 +1,7 @@
 #standardSQL
 # Section: Attack Preventions - Preventing attacks using CSP
 # Question: CSP on home pages: number of unique headers, header length and number of allowed HTTP(S) hosts in all directives
+# Note: for CSP we checked whether the header value is NULL (empty?) (99.65% of CSP headers are not NULL on desktop), we did not do this for other headers?
 CREATE TEMP FUNCTION getNumUniqueHosts(str STRING) AS (
   (SELECT COUNT(DISTINCT x) FROM UNNEST(REGEXP_EXTRACT_ALL(str, r'(?i)(https*://[^\s;]+)[\s;]')) AS x)
 );
@@ -8,8 +9,8 @@ CREATE TEMP FUNCTION getNumUniqueHosts(str STRING) AS (
 SELECT
   client,
   percentile,
-  COUNT(0) AS total_requests,
-  COUNTIF(csp_header IS NOT NULL) AS total_csp_headers,
+  COUNT(0) AS total_csp_headers,
+  COUNTIF(csp_header IS NOT NULL) AS total_non_null_csp_headers,
   COUNTIF(csp_header IS NOT NULL) / COUNT(0) AS pct_csp_headers,
   COUNT(DISTINCT csp_header) AS num_unique_csp_headers,
   APPROX_QUANTILES(LENGTH(csp_header), 1000 IGNORE NULLS)[OFFSET(percentile * 10)] AS csp_header_length,
diff --git a/sql/2024/security/csp_script_source_list_keywords.sql b/sql/2024/security/csp_script_source_list_keywords.sql
index c1bf47b19ee..14eca43395c 100644
--- a/sql/2024/security/csp_script_source_list_keywords.sql
+++ b/sql/2024/security/csp_script_source_list_keywords.sql
@@ -3,7 +3,7 @@
 # Question: usage of default/script-src, and within the directive usage of strict-dynamic, nonce values, unsafe-inline and unsafe-eval
 SELECT
   client,
-  total_pages,
+  total_pages_with_csp,
   freq_csp,
   freq_default_script_src,
   SAFE_DIVIDE(freq_default_script_src, freq_csp) AS pct_default_script_src_over_csp,
@@ -22,7 +22,7 @@ SELECT
 FROM (
   SELECT
     client,
-    COUNT(0) AS total_pages,
+    COUNT(0) AS total_pages_with_csp,
     COUNTIF(csp_header IS NOT NULL) AS freq_csp,
     COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src')) AS freq_default_script_src,
     COUNTIF(REGEXP_CONTAINS(csp_header, '(?i)(default|script)-src[^;]+strict-dynamic')) AS freq_strict_dynamic,
diff --git a/sql/2024/security/iframe_attribute_popular_hosts.sql b/sql/2024/security/iframe_attribute_popular_hosts.sql
index 68d416bf98d..d2a64e39fa0 100644
--- a/sql/2024/security/iframe_attribute_popular_hosts.sql
+++ b/sql/2024/security/iframe_attribute_popular_hosts.sql
@@ -12,9 +12,9 @@ SELECT
   client,
   policy_type,
   hostname,
-  total_iframes,
+  total_iframes_with_allow_or_sandbox,
   COUNTIF(has_policy) AS freq,
-  COUNTIF(has_policy) / total_iframes AS pct
+  COUNTIF(has_policy) / total_iframes_with_allow_or_sandbox AS pct
 FROM (
   SELECT
     client,
@@ -37,7 +37,7 @@ FROM (
 JOIN (
   SELECT
     client,
-    SUM(ARRAY_LENGTH(JSON_EXTRACT_ARRAY(JSON_EXTRACT_SCALAR(payload, '$._security'), '$.iframe-allow-sandbox'))) AS total_iframes
+    SUM(ARRAY_LENGTH(JSON_EXTRACT_ARRAY(JSON_EXTRACT_SCALAR(payload, '$._security'), '$.iframe-allow-sandbox'))) AS total_iframes_with_allow_or_sandbox
   FROM
     `httparchive.all.pages`
   WHERE
@@ -49,7 +49,7 @@ USING
   (client)
 GROUP BY
   client,
-  total_iframes,
+  total_iframes_with_allow_or_sandbox,
   policy_type,
   hostname
 HAVING

From ea124f5c3b8a8795f32b0c6083201ef0a0debc02 Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:03:53 +0100
Subject: [PATCH 05/14] Note clarification

---
 sql/2024/security/coep_header_prevalence.sql | 2 +-
 sql/2024/security/coop_header_prevalence.sql | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sql/2024/security/coep_header_prevalence.sql b/sql/2024/security/coep_header_prevalence.sql
index bf07e619a70..e3de007010b 100644
--- a/sql/2024/security/coep_header_prevalence.sql
+++ b/sql/2024/security/coep_header_prevalence.sql
@@ -1,7 +1,7 @@
 #standardSQL
 # Section: Attack Preventions - Preventing attacks using Cross-Origin policies
 # Question: Which are the most common COEP values?
-# Note: Considers headers of main document responses
+# Note: Considers headers of main document responses only
 SELECT
   client,
   coep_header,
diff --git a/sql/2024/security/coop_header_prevalence.sql b/sql/2024/security/coop_header_prevalence.sql
index 33f76fdd793..33bd048cded 100644
--- a/sql/2024/security/coop_header_prevalence.sql
+++ b/sql/2024/security/coop_header_prevalence.sql
@@ -1,7 +1,7 @@
 #standardSQL
 # Section: Attack Preventions - Preventing attacks using Cross-Origin policies
 # Question: Which are the most common COOP values?
-# Note: Considers headers of main document responses
+# Note: Considers headers of main document responses only
 SELECT
   client,
   coop_header,

From 164af5170954b8ee87080520d6f1dd571d95434b Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:04:14 +0100
Subject: [PATCH 06/14] Update contributor details

---
 src/config/contributors.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/config/contributors.json b/src/config/contributors.json
index f460ef9edaf..e0554e66e42 100644
--- a/src/config/contributors.json
+++ b/src/config/contributors.json
@@ -2071,6 +2071,7 @@
   "JannisBush": {
     "avatar_url": "33023300",
     "github": "JannisBush",
+    "linkedin": "jannis-rautenstrauch",
     "name": "Jannis Rautenstrauch",
     "teams": {
       "2024": [
@@ -2078,7 +2079,7 @@
       ]
     },
     "twitter": "jannis_r",
-    "website": "https://cispa.de/en/people/c01jara"
+    "website": "https://jannisbush.github.io/"
   },
   "jaredcwhite": {
     "avatar_url": "658496",

From 7953be559d347029c689a369cf12364f36d37fc6 Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:26:00 +0100
Subject: [PATCH 07/14] Add comments to 2022, 2021, 2020 queries

---
 sql/2020/security/iframe_attributes_usage.sql | 2 +-
 sql/2021/security/iframe_attributes_usage.sql | 2 +-
 sql/2022/security/iframe_attributes_usage.sql | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sql/2020/security/iframe_attributes_usage.sql b/sql/2020/security/iframe_attributes_usage.sql
index f90354e3b8f..9903e3be37e 100644
--- a/sql/2020/security/iframe_attributes_usage.sql
+++ b/sql/2020/security/iframe_attributes_usage.sql
@@ -2,7 +2,7 @@
 # usage of allow and sandbox attribute of iframe elements, per page and over all iframe elements
 SELECT
   client,
-  COUNT(0) AS total_iframes,
+  COUNT(0) AS total_iframes, # Note: These are not the total number of iframes but only the number of iframes with allow/sandbox + 1 for each website without such iframes
   COUNTIF(allow IS NOT NULL) AS freq_allow,
   COUNTIF(allow IS NOT NULL) / COUNT(0) AS pct_allow_frames,
   COUNTIF(sandbox IS NOT NULL) AS freq_sandbox,
diff --git a/sql/2021/security/iframe_attributes_usage.sql b/sql/2021/security/iframe_attributes_usage.sql
index 0e381cab432..eef600da564 100644
--- a/sql/2021/security/iframe_attributes_usage.sql
+++ b/sql/2021/security/iframe_attributes_usage.sql
@@ -2,7 +2,7 @@
 # usage of allow and sandbox attribute of iframe elements, per page and over all iframe elements
 SELECT
   client,
-  COUNT(0) AS total_iframes,
+  COUNT(0) AS total_iframes, # Note: These are not the total number of iframes but only the number of iframes with allow/sandbox + 1 for each website without such iframes
   COUNTIF(allow IS NOT NULL) AS freq_allow,
   COUNTIF(allow IS NOT NULL) / COUNT(0) AS pct_allow_frames,
   COUNTIF(sandbox IS NOT NULL) AS freq_sandbox,
diff --git a/sql/2022/security/iframe_attributes_usage.sql b/sql/2022/security/iframe_attributes_usage.sql
index 2ded2721810..d1ef27993f1 100644
--- a/sql/2022/security/iframe_attributes_usage.sql
+++ b/sql/2022/security/iframe_attributes_usage.sql
@@ -2,7 +2,7 @@
 # usage of allow and sandbox attribute of iframe elements, per page and over all iframe elements
 SELECT
   client,
-  COUNT(0) AS total_iframes,
+  COUNT(0) AS total_iframes,  # Note: These are not the total number of iframes but only the number of iframes with allow/sandbox + 1 for each website without such iframes
   COUNTIF(allow IS NOT NULL) AS freq_allow,
   COUNTIF(allow IS NOT NULL) / COUNT(0) AS pct_allow_frames,
   COUNTIF(sandbox IS NOT NULL) AS freq_sandbox,

From c0a707cb61e0347811d3ca9938ca76f30b8b7257 Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:29:06 +0100
Subject: [PATCH 08/14] Fix linting issues

---
 sql/2024/security/iframe_attributes_usage.sql        | 10 +++++-----
 sql/2024/security/meta_csp_disallowed_directives.sql |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/sql/2024/security/iframe_attributes_usage.sql b/sql/2024/security/iframe_attributes_usage.sql
index 7cd9d7bf54e..50161995500 100644
--- a/sql/2024/security/iframe_attributes_usage.sql
+++ b/sql/2024/security/iframe_attributes_usage.sql
@@ -2,16 +2,16 @@
 # Section: Content Inclusion - Iframe Sandbox/Permissions Policy
 # Question: How often are the allow and sandbox attributes used on iframes? Both per page (used in at least one iframe on a page) and over all iframe elements
 WITH total_iframe_count AS (
-SELECT
-  client,
-  date,
-  SUM(SAFE_CAST(JSON_EXTRACT(custom_metrics, '$.num_iframes') AS INT64)) AS total_iframes
+  SELECT
+    client,
+    date,
+    SUM(SAFE_CAST(JSON_EXTRACT(custom_metrics, '$.num_iframes') AS INT64)) AS total_iframes
   FROM
     `httparchive.all.pages`
   WHERE
     (date = '2022-06-01' OR date = '2023-06-01' OR date = '2023-12-01' OR date = '2024-03-01' OR date = '2024-04-01' OR date = '2024-05-01' OR date = '2024-06-01') AND
     is_root_page
-GROUP BY client, date
+  GROUP BY client, date
 )
 
 SELECT
diff --git a/sql/2024/security/meta_csp_disallowed_directives.sql b/sql/2024/security/meta_csp_disallowed_directives.sql
index 9aea88eeab9..aadf17c7f74 100644
--- a/sql/2024/security/meta_csp_disallowed_directives.sql
+++ b/sql/2024/security/meta_csp_disallowed_directives.sql
@@ -37,7 +37,7 @@ FROM (
 ),
 UNNEST(JSON_QUERY_ARRAY(metrics, '$.meta-nodes.nodes')) meta_node,
 UNNEST(['Content-Security-Policy']) AS policy
-JOIN totals using (client)
+JOIN totals USING (client)
 WHERE
   LOWER(JSON_VALUE(meta_node, '$.http-equiv')) = 'content-security-policy' OR LOWER(JSON_VALUE(meta_node, '$.name')) = 'content-security-policy'
 GROUP BY

From c9a2e7ce0bf3a900f1f5b14ef68c1a9006a284bc Mon Sep 17 00:00:00 2001
From: Gertjan Franken <gertjan.franken@kuleuven.be>
Date: Fri, 6 Dec 2024 12:54:55 +0100
Subject: [PATCH 09/14] Adapt text with updated query results

---
 src/content/en/2024/security.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/content/en/2024/security.md b/src/content/en/2024/security.md
index 7cc5a4f09a1..bb30f7d5bae 100644
--- a/src/content/en/2024/security.md
+++ b/src/content/en/2024/security.md
@@ -816,7 +816,7 @@ The Permissions Policy can also be defined individually for each embedded `<ifra
 <iframe src="https://example.com" allow="geolocation 'self'; camera *;"></iframe>
 ```
 
-Out of the 21.4 million `<iframe>` elements observed in the crawl, half included the `allow` attribute. This marks a significant increase compared to **even just the previous month**, when only 21% of `<iframe>` elements had the `allow` attribute - indicating that its usage has more than doubled in just one month. A plausible explanation for this rapid change is that one or several widely-used third-party services have propagated this update across their `<iframe>` elements. Given the ad-specific directives we now observe (displayed in the table below, row 1 and 3) - none of which were present in 2022 - it is likely that an ad service is responsible for this shift.
+Out of the 30.4 million `<iframe>` elements observed in the desktop crawl, 35.2% included the `allow` attribute. This marks a significant increase compared to **even just the previous month**, when only 14.4% of `<iframe>` elements had the `allow` attribute - indicating that its usage has more than doubled in just one month. A plausible explanation for this rapid change is that one or several widely-used third-party services have propagated this update across their `<iframe>` elements. Given the ad-specific directives we now observe (displayed in the table below, row 1 and 3) - none of which were present in 2022 - it is likely that an ad service is responsible for this shift.
 
 <figure>
   <table>
@@ -895,7 +895,7 @@ These risks can be curbed by employing the `sandbox` attribute on `<iframe>` ele
 <iframe src="https://example.com" sandbox="allow-scripts"></iframe>
 ```
 
-The `sandbox` attribute was observed in 28.4% and 27.5% of `<iframe>` elements for desktop and mobile respectively, a considerable drop from the 35.2% and 32% reported in 2022. Much like the sudden spike in `allow` attribute usage mentioned in the previous section, this decline could be attributed to a change in the modus operandi of an embedded service, where the `sandbox` attribute was omitted from the template `<iframe>`.
+The `sandbox` attribute was observed in 19.9% and 19.8% of `<iframe>` elements for desktop and mobile respectively, a slight drop from the 22.1% and 21.2% reported in 2022. Much like the sudden spike in `allow` attribute usage mentioned in the previous section, this decline could be attributed to a change in the modus operandi of an embedded service, where the `sandbox` attribute was omitted from the template `<iframe>`.
 
 {{ figure_markup(
   image="iframe-sandbox-directives.png",
@@ -1492,7 +1492,7 @@ While the presence of security policies suggests that website administrators are
 
 It's crucial for developers to understand where specific security policies should be defined. For instance, while a secure policy might be defined through a `<meta>` tag, it could be ignored by the browser if it's not supported there, potentially leaving the application vulnerable to attacks.
 
-Although the Content Security Policy can be defined using a `<meta>` tag, its `frame-ancestors` and `sandbox` directives are not supported in this context. Despite this, our observations show that 1.70% of pages on desktop and 1.26% on mobile incorrectly used the `frame-ancestors` directive in the `<meta>` tag. This is far lower for the disallowed `sandbox` directive, which was defined for less than 0.01%.
+Although the Content Security Policy can be defined using a `<meta>` tag, its `frame-ancestors` and `sandbox` directives are not supported in this context. Despite this, our observations show that 1.70% of pages that use CSP in a `<meta>` tag on desktop and 1.26% on mobile incorrectly used the `frame-ancestors` directive in the `<meta>` tag. This is far lower for the disallowed `sandbox` directive, which was defined for less than 0.01%.
 
 ### COEP, CORP and COOP confusion
 

From 7841c728e19dd933b193793c83d16ea33e99dd1b Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Fri, 6 Dec 2024 13:56:32 +0100
Subject: [PATCH 10/14] Query for 2020 and 2021 (using crawl.pages)

---
 .../security/iframe_attributes_usage_fix.sql  | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 sql/2024/security/iframe_attributes_usage_fix.sql

diff --git a/sql/2024/security/iframe_attributes_usage_fix.sql b/sql/2024/security/iframe_attributes_usage_fix.sql
new file mode 100644
index 00000000000..2d3fc8fb592
--- /dev/null
+++ b/sql/2024/security/iframe_attributes_usage_fix.sql
@@ -0,0 +1,58 @@
+#standardSQL
+# Section: Content Inclusion - Iframe Sandbox/Permissions Policy
+# Question: How often are the allow and sandbox attributes used on iframes? Both per page (used in at least one iframe on a page) and over all iframe elements
+WITH total_iframe_count AS (
+  SELECT
+    client,
+    date,
+    SUM(SAFE.INT64(custom_metrics.other.num_iframes)) AS total_iframes
+  FROM
+    `httparchive.crawl.pages`
+  WHERE
+    (date = '2020-08-01' OR date = '2021-07-01' or date = '2022-06-01') AND
+    is_root_page
+  GROUP BY client, date
+)
+
+SELECT
+  client,
+  date,
+  total_iframes,
+  COUNTIF(allow IS NOT NULL) AS freq_allow,
+  COUNTIF(allow IS NOT NULL) / total_iframes AS pct_allow_frames,
+  COUNTIF(sandbox IS NOT NULL) AS freq_sandbox,
+  COUNTIF(sandbox IS NOT NULL) / total_iframes AS pct_sandbox_frames,
+  COUNTIF(allow IS NOT NULL AND sandbox IS NOT NULL) AS freq_both_frames,
+  COUNTIF(allow IS NOT NULL AND sandbox IS NOT NULL) / total_iframes AS pct_both_frames,
+  COUNT(DISTINCT url) AS total_urls,
+  COUNT(DISTINCT IF(allow IS NOT NULL, url, NULL)) AS allow_freq_urls,
+  COUNT(DISTINCT IF(allow IS NOT NULL, url, NULL)) / COUNT(DISTINCT url) AS allow_pct_urls,
+  COUNT(DISTINCT IF(sandbox IS NOT NULL, url, NULL)) AS sandbox_freq_urls,
+  COUNT(DISTINCT IF(sandbox IS NOT NULL, url, NULL)) / COUNT(DISTINCT url) AS sandbox_pct_urls
+FROM (
+  SELECT
+    client,
+    date,
+    url,
+    SAFE.STRING(iframeAttr.allow) AS allow,
+    SAFE.STRING(iframeAttr.sandbox) AS sandbox
+  FROM (
+    SELECT
+      client,
+      date,
+      page AS url,
+      JSON_EXTRACT_ARRAY(custom_metrics.security.`iframe-allow-sandbox`) as iframeAttrs
+    FROM
+      `httparchive.crawl.pages`
+    WHERE
+      (date = '2020-08-01' OR date = '2021-07-01' or date = '2022-06-01') AND
+      is_root_page
+  ) LEFT JOIN UNNEST(iframeAttrs) AS iframeAttr
+  ) JOIN total_iframe_count USING (client, date)
+GROUP BY
+  total_iframes,
+  client,
+  date
+ORDER BY
+  date,
+  client

From 62e96c978d480a27d9c586c33325da9ecd55a90c Mon Sep 17 00:00:00 2001
From: JannisBush <33023300+JannisBush@users.noreply.github.com>
Date: Fri, 6 Dec 2024 14:01:29 +0100
Subject: [PATCH 11/14] Fix linting

---
 sql/2024/security/iframe_attributes_usage_fix.sql | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sql/2024/security/iframe_attributes_usage_fix.sql b/sql/2024/security/iframe_attributes_usage_fix.sql
index 2d3fc8fb592..16f52a47657 100644
--- a/sql/2024/security/iframe_attributes_usage_fix.sql
+++ b/sql/2024/security/iframe_attributes_usage_fix.sql
@@ -9,7 +9,7 @@ WITH total_iframe_count AS (
   FROM
     `httparchive.crawl.pages`
   WHERE
-    (date = '2020-08-01' OR date = '2021-07-01' or date = '2022-06-01') AND
+    (date = '2020-08-01' OR date = '2021-07-01' OR date = '2022-06-01') AND
     is_root_page
   GROUP BY client, date
 )
@@ -41,11 +41,11 @@ FROM (
       client,
       date,
       page AS url,
-      JSON_EXTRACT_ARRAY(custom_metrics.security.`iframe-allow-sandbox`) as iframeAttrs
+      JSON_EXTRACT_ARRAY(custom_metrics.security.`iframe-allow-sandbox`) AS iframeAttrs
     FROM
       `httparchive.crawl.pages`
     WHERE
-      (date = '2020-08-01' OR date = '2021-07-01' or date = '2022-06-01') AND
+      (date = '2020-08-01' OR date = '2021-07-01' OR date = '2022-06-01') AND
       is_root_page
   ) LEFT JOIN UNNEST(iframeAttrs) AS iframeAttr
   ) JOIN total_iframe_count USING (client, date)

From dfa4edf4e1711816bc66effacacc1065de12a06a Mon Sep 17 00:00:00 2001
From: Gertjan Franken <gertjan.franken@kuleuven.be>
Date: Fri, 6 Dec 2024 18:31:25 +0100
Subject: [PATCH 12/14] Adapt articles of 2022, 2021 and 2020

---
 src/content/en/2020/security.md | 8 ++++++--
 src/content/en/2021/security.md | 8 ++++++--
 src/content/en/2022/security.md | 8 ++++++--
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/content/en/2020/security.md b/src/content/en/2020/security.md
index 215450e43b3..82ff7eea92d 100644
--- a/src/content/en/2020/security.md
+++ b/src/content/en/2020/security.md
@@ -621,7 +621,9 @@ In a similar fashion, by defining the `allow` attribute on `<iframe>` elements,
 <figcaption>{{ figure_link(caption="Prevalence of Feature Policy directives on frames.", sheets_gid="547110187", sql_file="iframe_allow_directives.sql") }}</figcaption>
 </figure>
 
-The `Feature-Policy` response header has a fairly low adoption rate, at 0.60% of the desktop pages and 0.51% of mobile pages. On the other hand, Feature Policy was enabled on 19.5% of the 8 million frames that were found on the desktop pages. On mobile pages, 16.4% of the 9.2 million frames contained the `allow` attribute.
+The `Feature-Policy` response header has a fairly low adoption rate, at 0.60% of the desktop pages and 0.51% of mobile pages. On the other hand, Feature Policy was enabled on 11.8% of the 13.2 million frames that were found on the desktop pages. On mobile pages, 10.8% of the 13.8 million frames contained the `allow` attribute.
+
+<p class="note">An earlier version of this chapter reported incorrect values for the total number of frames and the percentage of frames with the `allow` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 Based on the most commonly used directives in the Feature Policy on iframes, we can see that these are mainly used to control how the frames play videos. For instance the most prevalent directive, `encrypted-media`, is used to control access to the Encrypted Media Extensions API, which is required to play DRM-protected videos. The most common iframe origins with a Feature Policy were `https://www.facebook.com` and `https://www.youtube.com` (49.87% and 26.18% of the frames with a Feature Policy on desktop pages respectively).
 
@@ -629,7 +631,9 @@ Based on the most commonly used directives in the Feature Policy on iframes, we
 
 By including an untrusted third-party in an iframe, that third-party can try to launch a number of attacks on the page. For instance, it could navigate the top page to a phishing page, launch pop-ups with fake anti-virus advertisements, etc.
 
-The `sandbox` attribute on iframes can be used to restrict the capabilities, and therefore also the opportunities for launching attacks, of the embedded web page. As embedding third-party content such as advertisements or videos is common practice on the web, it is not surprising that many of these are restricted via the `sandbox` attribute: 30.29% of the iframes on desktop pages have a `sandbox` attribute while on mobile pages this is 33.16%.
+The `sandbox` attribute on iframes can be used to restrict the capabilities, and therefore also the opportunities for launching attacks, of the embedded web page. As embedding third-party content such as advertisements or videos is common practice on the web, it is not surprising that many of these are restricted via the `sandbox` attribute: 18.3% of the iframes on desktop pages have a `sandbox` attribute while on mobile pages this is 21.9%.
+
+<p class="note">An earlier version of this chapter reported incorrect values for the percentage of frames with the `sandbox` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 <figure>
   <table>
diff --git a/src/content/en/2021/security.md b/src/content/en/2021/security.md
index 7c20d788af9..9e12928dd50 100644
--- a/src/content/en/2021/security.md
+++ b/src/content/en/2021/security.md
@@ -641,7 +641,9 @@ We see 1.3% of websites on the mobile using the `Permissions-Policy` already. A
   <figcaption>{{ figure_link(caption="Prevalence of `allow` directives on frames.", sheets_gid="623004240", sql_file="iframe_allow_directives.sql") }}</figcaption>
 </figure>
 
-One can also use the `allow` attribute in `<iframe>` elements to enable or disable features allowed to be used in the embedded frame. 28.4% of 10.8 million frames in mobile contained the `allow` attribute to enable permission or feature policies.
+One can also use the `allow` attribute in `<iframe>` elements to enable or disable features allowed to be used in the embedded frame. 18.3% of 16.8 million frames in mobile contained the `allow` attribute to enable permission or feature policies.
+
+<p class="note">An earlier version of this chapter reported incorrect values for the total number of frames and the percentage of frames with the `allow` attribute. These errors have now been corrected. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 As in previous years, the most used directives in `allow` attributes on iframes are still related to controls for embedded videos and media. The most used directive continues to be `encrypted-media` which is used to control access to the Encrypted Media Extensions API.
 
@@ -649,7 +651,9 @@ As in previous years, the most used directives in `allow` attributes on iframes
 
 An untrusted third-party in an iframe could launch a number of attacks on the page. For instance, it could navigate the top page to a phishing page, launch popups with fake anti-virus advertisements and other cross-frame scripting attacks.
 
-The `sandbox` attribute on iframes applies restrictions to the content, and therefore reduces the opportunities for launching attacks from the embedded web page. The value of the attribute can either be empty to apply all restrictions (the embedded page cannot execute any JavaScript code, no forms can be submitted, and no popups can be created, to name a few restrictions), or space-separated tokens to lift particular restrictions. As embedding third-party content such as advertisements or videos via iframes is common practice on the web, it is not surprising that many of these are restricted via the `sandbox` attribute: 32.6% of the iframes on desktop pages have a `sandbox` attribute while on mobile pages this is 32.6%.
+The `sandbox` attribute on iframes applies restrictions to the content, and therefore reduces the opportunities for launching attacks from the embedded web page. The value of the attribute can either be empty to apply all restrictions (the embedded page cannot execute any JavaScript code, no forms can be submitted, and no popups can be created, to name a few restrictions), or space-separated tokens to lift particular restrictions. As embedding third-party content such as advertisements or videos via iframes is common practice on the web, it is not surprising that many of these are restricted via the `sandbox` attribute: 20.9% of the iframes on desktop pages have a `sandbox` attribute while on mobile pages this is 19.7%.
+
+<p class="note">An earlier version of this chapter reported incorrect values for the percentage of frames with the `sandbox` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 {{ figure_markup(
   image="security-prevalence-of-sandbox-directives-on-frames.png",
diff --git a/src/content/en/2022/security.md b/src/content/en/2022/security.md
index dc2d3275e2a..901c47f3395 100644
--- a/src/content/en/2022/security.md
+++ b/src/content/en/2022/security.md
@@ -632,7 +632,9 @@ Besides being used as an HTTP header, this feature can be used within `<iframe>`
   <iframe src="https://example.com" allow="geolocation 'src' https://example.com'; camera *"></iframe>
 ```
 
-18.9% of 11.5 million frames in mobile contained the `allow` attribute to enable permission or feature policies.
+12.6% of 17.4 million frames in mobile contained the `allow` attribute to enable permission or feature policies.
+
+<p class="note">An earlier version of this chapter reported incorrect values for the total number of frames and the percentage of frames with the `allow` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 The following is a list of the top 10 `allow` directives that were detected in frames:
 
@@ -737,7 +739,9 @@ To mitigate these concerns the HTML specification (version 5) introduced the `sa
 
 The above chart of the 2022 data shows that more than 99% of websites with a `sandbox` attribute enable the `allow-scripts` and `allow-same-origin` permissions.
 
-Of desktop websites that embed an iframe, 35.2% also include the `sandbox` attribute.
+Of desktop websites that embed an iframe, 21.2% also include the `sandbox` attribute.
+
+<p class="note">An earlier version of this chapter reported the incorrect percentage of frames with the `sandbox` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 We find that `Content-Security-Policy` headers which include a `sandbox` directive are at a mere 0.3% usage for mobile (desktop is similar at 0.4%) which may speak to the fact that this attribute is only applied on a per-case basis for the practice of embedding iframe content within pages, rather than ahead-of-time planning through a content security policy definition.
 

From a04db1d4473f24730f00ae0df4385c0b17ff0ad5 Mon Sep 17 00:00:00 2001
From: Gertjan Franken <gertjan.franken@kuleuven.be>
Date: Mon, 16 Dec 2024 15:47:39 +0100
Subject: [PATCH 13/14] Apply number fixes

---
 src/content/en/2020/security.md | 2 +-
 src/content/en/2021/security.md | 2 +-
 src/content/en/2022/security.md | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/content/en/2020/security.md b/src/content/en/2020/security.md
index 82ff7eea92d..fdbd8669b7a 100644
--- a/src/content/en/2020/security.md
+++ b/src/content/en/2020/security.md
@@ -621,7 +621,7 @@ In a similar fashion, by defining the `allow` attribute on `<iframe>` elements,
 <figcaption>{{ figure_link(caption="Prevalence of Feature Policy directives on frames.", sheets_gid="547110187", sql_file="iframe_allow_directives.sql") }}</figcaption>
 </figure>
 
-The `Feature-Policy` response header has a fairly low adoption rate, at 0.60% of the desktop pages and 0.51% of mobile pages. On the other hand, Feature Policy was enabled on 11.8% of the 13.2 million frames that were found on the desktop pages. On mobile pages, 10.8% of the 13.8 million frames contained the `allow` attribute.
+The `Feature-Policy` response header has a fairly low adoption rate, at 0.60% of the desktop pages and 0.51% of mobile pages. On the other hand, Feature Policy was enabled on 11.8% of the 13.2 million frames that were found on the desktop pages. On mobile pages, 10.8% of the 13.9 million frames contained the `allow` attribute.
 
 <p class="note">An earlier version of this chapter reported incorrect values for the total number of frames and the percentage of frames with the `allow` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
diff --git a/src/content/en/2021/security.md b/src/content/en/2021/security.md
index 9e12928dd50..7878ac9cbc3 100644
--- a/src/content/en/2021/security.md
+++ b/src/content/en/2021/security.md
@@ -651,7 +651,7 @@ As in previous years, the most used directives in `allow` attributes on iframes
 
 An untrusted third-party in an iframe could launch a number of attacks on the page. For instance, it could navigate the top page to a phishing page, launch popups with fake anti-virus advertisements and other cross-frame scripting attacks.
 
-The `sandbox` attribute on iframes applies restrictions to the content, and therefore reduces the opportunities for launching attacks from the embedded web page. The value of the attribute can either be empty to apply all restrictions (the embedded page cannot execute any JavaScript code, no forms can be submitted, and no popups can be created, to name a few restrictions), or space-separated tokens to lift particular restrictions. As embedding third-party content such as advertisements or videos via iframes is common practice on the web, it is not surprising that many of these are restricted via the `sandbox` attribute: 20.9% of the iframes on desktop pages have a `sandbox` attribute while on mobile pages this is 19.7%.
+The `sandbox` attribute on iframes applies restrictions to the content, and therefore reduces the opportunities for launching attacks from the embedded web page. The value of the attribute can either be empty to apply all restrictions (the embedded page cannot execute any JavaScript code, no forms can be submitted, and no popups can be created, to name a few restrictions), or space-separated tokens to lift particular restrictions. As embedding third-party content such as advertisements or videos via iframes is common practice on the web, it is not surprising that many of these are restricted via the `sandbox` attribute: 19.7% of the iframes on desktop pages have a `sandbox` attribute while on mobile pages this is 21.0%.
 
 <p class="note">An earlier version of this chapter reported incorrect values for the percentage of frames with the `sandbox` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
diff --git a/src/content/en/2022/security.md b/src/content/en/2022/security.md
index 901c47f3395..54a8d27c8bc 100644
--- a/src/content/en/2022/security.md
+++ b/src/content/en/2022/security.md
@@ -739,7 +739,7 @@ To mitigate these concerns the HTML specification (version 5) introduced the `sa
 
 The above chart of the 2022 data shows that more than 99% of websites with a `sandbox` attribute enable the `allow-scripts` and `allow-same-origin` permissions.
 
-Of desktop websites that embed an iframe, 21.2% also include the `sandbox` attribute.
+For all iframes found on desktop websites, 21.08% include the `sandbox` attribute.
 
 <p class="note">An earlier version of this chapter reported the incorrect percentage of frames with the `sandbox` attribute. More information can be found in this <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 

From 9ffe1dffffc23b0edc0094e6d167ac8baffee2f9 Mon Sep 17 00:00:00 2001
From: Gertjan Franken <gertjan.franken@kuleuven.be>
Date: Mon, 16 Dec 2024 16:35:28 +0100
Subject: [PATCH 14/14] Apply fixes to translated chapters

---
 src/content/ja/2020/security.md    | 8 ++++++--
 src/content/ja/2021/security.md    | 8 ++++++--
 src/content/ja/2022/security.md    | 8 ++++++--
 src/content/nl/2020/security.md    | 8 ++++++--
 src/content/zh-CN/2022/security.md | 8 ++++++--
 5 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/src/content/ja/2020/security.md b/src/content/ja/2020/security.md
index 65225d81ee0..2f2358659a0 100644
--- a/src/content/ja/2020/security.md
+++ b/src/content/ja/2020/security.md
@@ -621,7 +621,9 @@ SRIで保護されたスクリプトが含まれている上位5ホストの残
 <figcaption>{{ figure_link(caption="フレーム上のフィーチャーポリシーディレクティブの普及率。", sheets_gid="547110187", sql_file="iframe_allow_directives.sql") }}</figcaption>
 </figure>
 
-レスポンスヘッダー`Feature-Policy`の採用率は、デスクトップページでは0.60%、モバイルページでは0.51%とかなり低い。一方、デスクトップページでは、800万フレームのうち19.5%でFeature Policyが有効になっていました。モバイルページでは、920万フレームのうち16.4%が`allow`属性を含んでいました。
+レスポンスヘッダー`Feature-Policy`の採用率は、デスクトップページでは0.60%、モバイルページでは0.51%とかなり低い。一方、デスクトップページでは、1320万フレームのうち11.8%でFeature Policyが有効になっていました。モバイルページでは、1390万フレームのうち10.8%が`allow`属性を含んでいました。
+
+<p class="note">この章の以前のバージョンでは、フレームの合計数と `allow` 属性を持つフレームの割合の値が間違っていました。詳細については、この <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> を参照してください。</p>
 
 iframeの機能ポリシーで最もよく使われているディレクティブを見ると、これらは主にフレームが動画を再生する方法を制御するために使われていることがわかります。例えば、最も一般的なディレクティブである`encrypted-media`は、DRMで保護された動画を再生するために必要なEncrypted Media Extensions APIへのアクセスを制御するために使用されます。フィーチャーポリシーを持つフレームの起源として最も多いのは `https://www.facebook.com`と`https://www.youtube.com`でした (デスクトップページのフィーチャーポリシーを持つフレームの49.87%と26.18%でした)。
 
@@ -629,7 +631,9 @@ iframeの機能ポリシーで最もよく使われているディレクティ
 
 信頼できないサードパーティをiframeに含めることで、そのサードパーティはページ上で様々な攻撃を試みることができます。例えば、トップページをフィッシングページに誘導したり、偽のアンチウイルス広告を表示したポップアップを起動したりできます。
 
-iframeの`sandbox`属性は、埋め込まれたウェブページの機能を制限し、その結果、攻撃を開始する機会を制限するために使用することができます。広告や動画などのサードパーティコンテンツを埋め込むことはウェブ上では一般的なことなので、これらの多くが`sandbox`属性によって制限されていることは驚くべきことではありません。デスクトップページのiframeの30.29%が`sandbox`属性を持っているのに対し、モバイルページでは33.16%となっています。
+iframeの`sandbox`属性は、埋め込まれたウェブページの機能を制限し、その結果、攻撃を開始する機会を制限するために使用することができます。広告や動画などのサードパーティコンテンツを埋め込むことはウェブ上では一般的なことなので、これらの多くが`sandbox`属性によって制限されていることは驚くべきことではありません。デスクトップページのiframeの18.3%が`sandbox`属性を持っているのに対し、モバイルページでは21.9%となっています。
+
+<p class="note">この章の以前のバージョンでは、`sandbox` 属性を持つフレームの割合の値が間違っていました。詳細については、この <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> を参照してください。</p>
 
 <figure>
   <table>
diff --git a/src/content/ja/2021/security.md b/src/content/ja/2021/security.md
index e7861fa9776..2b172226e17 100644
--- a/src/content/ja/2021/security.md
+++ b/src/content/ja/2021/security.md
@@ -641,7 +641,9 @@ SRIで保護されたスクリプトが含まれる一般的なホストのう
   <figcaption>{{ figure_link(caption="フレームにおける `allow` 指令の普及率。", sheets_gid="623004240", sql_file="iframe_allow_directives.sql") }}</figcaption>
 </figure>
 
-また、`<iframe>` 要素の `allow` 属性を使用すると、埋め込みフレームで使用することを許可されている機能を有効または無効にできます。モバイルの1080万フレームの28.4%が、許可や機能のポリシーを有効にするため`allow`属性を含んでいます。
+また、`<iframe>` 要素の `allow` 属性を使用すると、埋め込みフレームで使用することを許可されている機能を有効または無効にできます。モバイルの1680万フレームの18.3%が、許可や機能のポリシーを有効にするため`allow`属性を含んでいます。
+
+<p class="note">この章の以前のバージョンでは、フレームの合計数と `allow` 属性を持つフレームの割合の値が間違っていました。これらのエラーは修正されました。詳細については、この <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> を参照してください。</p>
 
 例年通り、iframeの`allow` 属性でもっとも使用されているディレクティブは、埋め込みビデオやメディアのコントロールに関連するものです。もっともよく使われるディレクティブは、引き続き `encrypted-media` で、これは暗号化メディア拡張APIへのアクセスを制御するために使用されます。
 
@@ -649,7 +651,9 @@ SRIで保護されたスクリプトが含まれる一般的なホストのう
 
 iframe内に信頼できない第三者が存在すると、そのページに対してさまざまな攻撃を仕掛けることができます。たとえば、トップページをフィッシングページに誘導したり、偽のアンチウイルス広告を表示するポップアップを起動したり、その他のクロスフレームスクリプティング攻撃を行うことができます。
 
-iframeの`sandbox`属性は、コンテンツに制限をかけるため、埋め込まれたWebページから攻撃を仕掛ける機会を減らすことができます。属性の値は、すべての制限を適用する場合は空、特定の制限を解除する場合はスペースで区切られたトークンのいずれかになります（いくつかの制限を挙げると埋め込みページはJavaScriptコードを実行できず、フォームは送信できず、ポップアップを作成できません）。広告やビデオなどのサードパーティーコンテンツをiframeで埋め込むことは、ウェブ上では一般的な行為であり、その多くが`sandbox`属性によって制限されていることは驚くことでありません。デスクトップ用ページのiframeの32.6%が `sandbox` 属性を持っており、モバイル用ページでは32.6%となっています。
+iframeの`sandbox`属性は、コンテンツに制限をかけるため、埋め込まれたWebページから攻撃を仕掛ける機会を減らすことができます。属性の値は、すべての制限を適用する場合は空、特定の制限を解除する場合はスペースで区切られたトークンのいずれかになります（いくつかの制限を挙げると埋め込みページはJavaScriptコードを実行できず、フォームは送信できず、ポップアップを作成できません）。広告やビデオなどのサードパーティーコンテンツをiframeで埋め込むことは、ウェブ上では一般的な行為であり、その多くが`sandbox`属性によって制限されていることは驚くことでありません。デスクトップ用ページのiframeの19.7%が `sandbox` 属性を持っており、モバイル用ページでは21.0%となっています。
+
+<p class="note">この章の以前のバージョンでは、`sandbox` 属性を持つフレームの割合の値が間違っていました。詳細については、この <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> を参照してください。</p>
 
 {{ figure_markup(
   image="security-prevalence-of-sandbox-directives-on-frames.png",
diff --git a/src/content/ja/2022/security.md b/src/content/ja/2022/security.md
index d41347d5056..bd42882bdb3 100644
--- a/src/content/ja/2022/security.md
+++ b/src/content/ja/2022/security.md
@@ -632,7 +632,9 @@ HTTPヘッダーとして使用されるだけでなく、この機能は以下
   <iframe src="https://example.com" allow="geolocation 'src' https://example.com'; camera *"></iframe>
 ```
 
-モバイルの1,150万フレームのうち18.9%に`allow`属性が含まれており、許可または機能ポリシーを有効にしています。
+モバイルの1,740万フレームのうち12.6%に`allow`属性が含まれており、許可または機能ポリシーを有効にしています。
+
+<p class="note">この章の以前のバージョンでは、フレームの合計数と `allow` 属性を持つフレームの割合の値が間違っていました。詳細については、この <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> を参照してください。</p>
 
 以下は、フレームで検出されたトップ10の`allow`ディレクティブのリストです：
 
@@ -737,7 +739,9 @@ function clickToGo() {
 
 2022年の上記のグラフは、`sandbox`属性を持つウェブサイトの99%以上が`allow-scripts`と`allow-same-origin`の権限を有効にしていることを示しています。
 
-iframeを埋め込むデスクトップウェブサイトの35.2%が`sandbox`属性も含んでいます。
+デスクトップ ウェブサイトにあるすべての iframe のうち、21.08% に `sandbox` 属性が含まれています。
+
+<p class="note">この章の以前のバージョンでは、`sandbox` 属性を持つフレームの割合が誤って報告されていました。詳細については、この <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> を参照してください。</p>
 
 モバイルの`Content-Security-Policy`ヘッダーに`sandbox`指令を含むものはわずか0.3%（デスクトップも同様に0.4%）であり、この属性がページ内でiframeコンテンツを埋め込む際にケースバイケースで適用されることが多く、事前のコンテンツセキュリティポリシー定義を通じて計画することは少ないことを示しています。
 
diff --git a/src/content/nl/2020/security.md b/src/content/nl/2020/security.md
index caec7063ef2..44222e3a022 100644
--- a/src/content/nl/2020/security.md
+++ b/src/content/nl/2020/security.md
@@ -621,7 +621,9 @@ Op een vergelijkbare manier, door het `allow`-attribuut op `<iframe>`-elementen
 <figcaption>{{ figure_link(caption="Prevalentie van functiebeleid-richtlijnen op frames.", sheets_gid="547110187", sql_file="iframe_allow_directives.sql") }}</figcaption>
 </figure>
 
-De antwoordkop van `Feature-Policy` heeft een vrij lage acceptatiegraad, met 0,60% van de desktoppagina's en 0,51% van de mobiele pagina's. Aan de andere kant was functiebeleid ingeschakeld voor 19,5% van de 8 miljoen frames die op de desktoppagina's werden gevonden. Op mobiele pagina's bevatte 16,4% van de 9,2 miljoen frames het attribuut `toestaan`.
+De antwoordkop van `Feature-Policy` heeft een vrij lage acceptatiegraad, met 0,60% van de desktoppagina's en 0,51% van de mobiele pagina's. Aan de andere kant was functiebeleid ingeschakeld voor 11,8% van de 13,2 miljoen frames die op de desktoppagina's werden gevonden. Op mobiele pagina's bevatte 10,8% van de 13,9 miljoen frames het attribuut `allow`.
+
+<p class="note">Een eerdere versie van dit hoofdstuk vermeldde onjuiste waarden voor het totale aantal frames en het percentage frames met het kenmerk `allow`. Meer informatie is te vinden in deze <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 Op basis van de meest gebruikte richtlijnen in het functiebeleid voor iframes, kunnen we zien dat deze voornamelijk worden gebruikt om te bepalen hoe de frames video's afspelen. De meest voorkomende richtlijn, `encrypted-media`, wordt bijvoorbeeld gebruikt om de toegang tot de Encrypted Media Extensions API te controleren, die nodig is om DRM-beveiligde video's af te spelen. De meest voorkomende iframe-herkomsten met een functiebeleid waren `https://www.facebook.com` en `https://www.youtube.com` (respectievelijk 49,87% en 26,18% van de frames met een functiebeleid op desktoppagina's ).
 
@@ -629,7 +631,9 @@ Op basis van de meest gebruikte richtlijnen in het functiebeleid voor iframes, k
 
 Door een niet-vertrouwde derde partij op te nemen in een iframe, kan die derde partij proberen een aantal aanvallen op de pagina uit te voeren. Het kan bijvoorbeeld de hoofdpagina naar een phishing-pagina navigeren, pop-ups met valse antivirusadvertenties openen, enz.
 
-Het `sandbox`-attribuut op iframes kan worden gebruikt om de mogelijkheden, en dus ook de mogelijkheden om aanvallen uit te voeren, van de embedded webpagina te beperken. Aangezien het insluiten van inhoud van derden, zoals advertenties of video's, gebruikelijk is op internet, is het niet verrassend dat veel hiervan worden beperkt via het `sandbox`-attribuut: 30,29% van de iframes op desktoppagina's heeft een `sandbox`-attribuut terwijl op mobiele pagina's is dit 33,16%.
+Het `sandbox`-attribuut op iframes kan worden gebruikt om de mogelijkheden, en dus ook de mogelijkheden om aanvallen uit te voeren, van de embedded webpagina te beperken. Aangezien het insluiten van inhoud van derden, zoals advertenties of video's, gebruikelijk is op internet, is het niet verrassend dat veel hiervan worden beperkt via het `sandbox`-attribuut: 18,3% van de iframes op desktoppagina's heeft een `sandbox`-attribuut terwijl op mobiele pagina's is dit 21,9%.
+
+<p class="note">Een eerdere versie van dit hoofdstuk vermeldde onjuiste waarden voor het percentage frames met het kenmerk `sandbox`. Meer informatie is te vinden in deze <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a>.</p>
 
 <figure>
   <table>
diff --git a/src/content/zh-CN/2022/security.md b/src/content/zh-CN/2022/security.md
index 704313c5a63..99b8f400859 100644
--- a/src/content/zh-CN/2022/security.md
+++ b/src/content/zh-CN/2022/security.md
@@ -632,7 +632,9 @@ CDNs 对子资源完整性并不陌生，通过在页面内容的 URL 引用中
   <iframe src="https://example.com" allow="geolocation 'src' https://example.com'; camera *"></iframe>
 ```
 
-在移动端的 1150 万个框架中，有 18.9% 包含 `allow` 属性，以启用权限或特性策略。
+在移动端的 1740 万个框架中，有 12.6% 包含 `allow` 属性，以启用权限或特性策略。
+
+<p class="note">本章的早期版本报告了总帧数和具有 `allow` 属性的帧百分比的错误值。更多信息可在此 <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> 中找到。</p>
 
 以下是在框架中检测到的前 10 条 `allow` 指令列表：
 
@@ -737,7 +739,9 @@ function clickToGo() {
 
 上述 2022 年的数据图表显示，超过 99% 的具有 `sandbox` 属性的网站都启用了 `allow-scripts` 和 `allow-same-origin` 权限。
 
-在嵌入 iframe 的桌面端网站中，35.2% 的网站还包括 `sandbox` 属性。
+对于桌面网站上的所有 iframe，21.08％ 具有 `sandbox` 属性。
+
+<p class="note">本章的早期版本报告了具有 `sandbox` 属性的帧百分比不正确。更多信息可在此 <a hreflang="en" href="https://github.com/HTTPArchive/almanac.httparchive.org/pull/3912">GitHub PR</a> 中找到。</p>
 
 我们发现包含 `sandbox` 指令的 `Content-Security-Policy` 标头在移动端仅占 0.3% 的使用率（桌面端为 0.4%），这可能说明了这样一个事实，即该属性仅适用于在页面中嵌入 iframe 内容的实践，而不是通过内容安全策略定义进行预先规划。