What is the current state of play with this? I thought *92.0.4515.157* was the most version of Chrome where the issue was reverted. I downloaded *92.0.4515.107 *with it looking like it was the most recent version to still have the blocker in place. I also have 91.0.4472.144 on another machine.
I tested no attribute, "sandbox", "sandbox='allow-scripts'" and "sandbox='allow-scripts allow-modals''. I tested against running a script, alert, confirm, print and prompt. All versions gave the same results. On Thursday, August 5, 2021 at 11:02:46 AM UTC+1 Daniel Bratell wrote: > Technically those are two different domains, even though they are likely > controlled by the same party. There are ways to "join" different domains > (like setting the document.domain > <https://developer.mozilla.org/en-US/docs/Web/API/Document/domain> > property), or identify which second level domains have only one controller > <https://wiki.mozilla.org/Public_Suffix_List> and which has more, but > they are unreliable and are being phased out > <https://github.com/mikewest/deprecating-document-domain/>. > > You are right that this is a common setup in enterprises and that has to > be considered when discussing how possibly malicious cross-origin alerts > and prompts can be prevented. > > /Daniel > On 2021-08-04 15:38, Hugo Leitao wrote: > > Why do you block for the same domain? Sample: https://123.mydomain.com > and subframe https://abc.mydomain.com > Too many corporate applications will be affected. Regards > Em sexta-feira, 30 de julho de 2021 às 21:06:14 UTC-3, > carl...@chromium.org escreveu: > >> We decided to disable this deprecation temporarily (for 2 weeks, until >> August 15, 2021) to provide more time for websites to address the issues >> caused by this change, or enroll affected origins in the origin trial. >> If neither the origin trial or the enterprise policy address your >> concerns, please comment in the implementation bug at crbug.com/1065085. >> >> The configuration to disable the deprecation should reach most Chrome >> instances in a few hours, but in some cases might take longer. Chrome needs >> to be restarted for the change to take effect. >> >> Thanks, >> -Carlos >> >> On Fri, Jul 30, 2021 at 5:24 AM Pritpal Singh < >> psi...@watermarkinsights.com> wrote: >> >>> If we use the document.domain='example.com' on the pages of our site >>> under same domain, will the opening in iframe will be excluded from this >>> impact? >>> >>> On Thursday, July 29, 2021 at 11:39:18 PM UTC+5:30 Manuel Torres wrote: >>> >>>> Thanks for the suggestion but it’s not the output what worries me but >>>> the input instead. When teaching JavaScript to a 10 year old using prompts >>>> was key for many exercises. At least there should be a setting to >>>> momentarily disable this behavior. >>>> >>>> On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez < >>>> carl...@google.com> wrote: >>>> >>>> >>>> >>>> For simple output when teaching, I'd recommend switching to >>>> console.log, which would work in this case, and is more well suited for >>>> that usecase. >>>> >>>> Temporarily, sites such as codepen can enroll in the trial to >>>> maintain this functionality. >>>> >>>> On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres <torres...@gmail.com> >>>> wrote: >>>> >>>>> We use sites such as codepen.io to deliver JavaScript training to >>>>> many kids, since this update we can't do simple JavaScript prompts and >>>>> alerts from codepen.io and many of our training material is now >>>>> useless. >>>>> >>>>> Manuel Torres >>>>> >>>>> El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, >>>>> carl...@google.com escribió: >>>>> >>>>>> Affected sites can use the origin trial to temporarily opt-out of >>>>>> this change (additionally, in enterprise settings, an enterprise >>>>>> policy >>>>>> <https://chromeenterprise.google/policies/#SuppressDifferentOriginSubframeDialogs> >>>>>> >>>>>> can be used to opt-out). As a permanent solution though, sites will need >>>>>> to >>>>>> stop relying on alert, confirm, and prompt, and will instead need to >>>>>> implement similar functionality directly in the site. >>>>>> >>>>>> On Wed, Jul 28, 2021 at 12:06 AM Dmitry Liamtsev <lyam...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> This is very bad news for me. My corporative soft modules deployed >>>>>>> on many ports and integrates with iframes... >>>>>>> вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark: >>>>>>> >>>>>>>> Could you cancel the cross sub-domain block? >>>>>>>> 在2021年7月13日星期二 UTC+8 上午1:06:21<carl...@google.com> 写道: >>>>>>>> >>>>>>>>> M92 will indeed enable the blocking of JS dialogs usage on >>>>>>>>> different origin subframes by default on Stable. You can use the >>>>>>>>> deprecation trial to temporarily bypass the block. >>>>>>>>> >>>>>>>>> -Carlos >>>>>>>>> >>>>>>>>> On Mon, Jul 12, 2021 at 5:14 AM Liang Stanley <kaika...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> I've found M92 beta has enable this feature. Does M92 >>>>>>>>>> stable enable it by default? >>>>>>>>>> I mean, cannot use alert(), confirm(). >>>>>>>>>> >>>>>>>>>> - Stanley >>>>>>>>>> carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] 的信中寫道: >>>>>>>>>> >>>>>>>>>>> The plan is to keep the trial in until M96 >>>>>>>>>>> >>>>>>>>>>> -Carlos >>>>>>>>>>> >>>>>>>>>>> On Fri, Jun 11, 2021 at 8:46 AM Chris Harrelson < >>>>>>>>>>> chri...@chromium.org> wrote: >>>>>>>>>>> >>>>>>>>>>>> How long do you intend to run the deprecation trial? There >>>>>>>>>>>> should be a deadline in order to make clear to developers they >>>>>>>>>>>> have a >>>>>>>>>>>> limited time to fix their content. >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Jun 10, 2021 at 8:36 PM Yoav Weiss < >>>>>>>>>>>> yoav...@chromium.org> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> LGTM1 - a deprecation trial seems like a good way to >>>>>>>>>>>>> (temporarily) resolve the issues we've run into when trying to >>>>>>>>>>>>> remove this, >>>>>>>>>>>>> and give developers more time to move away from current usage. >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Jun 11, 2021 at 1:57 AM 'Carlos Joan Rafael Ibarra >>>>>>>>>>>>> Lopez' via blink-dev <blin...@chromium.org> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Contact emails carl...@chromium.org, mea...@chromium.org >>>>>>>>>>>>>> >>>>>>>>>>>>>> Explainer None >>>>>>>>>>>>>> >>>>>>>>>>>>>> Specification >>>>>>>>>>>>>> https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs >>>>>>>>>>>>>> >>>>>>>>>>>>>> Summary >>>>>>>>>>>>>> >>>>>>>>>>>>>> Chrome allows iframes to trigger Javascript dialogs, it shows >>>>>>>>>>>>>> “<URL> says ...” when the iframe is the same origin as the top >>>>>>>>>>>>>> frame, and >>>>>>>>>>>>>> “An embedded page on this page says...” when the iframe is >>>>>>>>>>>>>> cross-origin. >>>>>>>>>>>>>> The current UX is confusing, and has previously led to spoofs >>>>>>>>>>>>>> where sites >>>>>>>>>>>>>> pretend the message comes from Chrome or a different website. >>>>>>>>>>>>>> Removing >>>>>>>>>>>>>> support for cross origin iframes’ ability to trigger the UI will >>>>>>>>>>>>>> prevent >>>>>>>>>>>>>> this kind of spoofing, and unblock further UI simplifications. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Blink component Blink>WindowDialog >>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog> >>>>>>>>>>>>>> >>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>> >>>>>>>>>>>>>> TAG review status Pending >>>>>>>>>>>>>> >>>>>>>>>>>>>> Risks >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>>> >>>>>>>>>>>>>> In total, around 0.009% of page loads would be affected by >>>>>>>>>>>>>> the removal. We believe that core functionality will not be >>>>>>>>>>>>>> severely >>>>>>>>>>>>>> degraded, since the ability for users to disable JS prompts >>>>>>>>>>>>>> means sites >>>>>>>>>>>>>> already can’t rely on JS dialogs to always be displayed. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Gecko: Positive (https://github.com/whatwg/html/issues/5407) >>>>>>>>>>>>>> Firefox has already implemented this behind a flag, and was >>>>>>>>>>>>>> supportive of >>>>>>>>>>>>>> the spec change. >>>>>>>>>>>>>> >>>>>>>>>>>>>> WebKit: Positive (https://github.com/whatwg/html/issues/5407) >>>>>>>>>>>>>> Safari has not implemented, but they were supportive of the spec >>>>>>>>>>>>>> change. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Web developers: No signals >>>>>>>>>>>>>> >>>>>>>>>>>>>> Security >>>>>>>>>>>>>> >>>>>>>>>>>>>> Expected to be security positive by reducing spoofing >>>>>>>>>>>>>> surfaces. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Goals for experimentation >>>>>>>>>>>>>> Origin-trial based opt out was suggested in intent to remove >>>>>>>>>>>>>> to diminish breakage risks. See >>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ >>>>>>>>>>>>>> >>>>>>>>>>>>>> for the relevant discusison. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Reason this experiment is being extended >>>>>>>>>>>>>> >>>>>>>>>>>>>> Ongoing technical constraints >>>>>>>>>>>>>> >>>>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>>>>>> Yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>>> ? Yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Flag name SuppressDifferentOriginSubframeJSDialogs >>>>>>>>>>>>>> >>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1065085 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>> https://www.chromestatus.com/feature/5148698084376576 >>>>>>>>>>>>>> >>>>>>>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>>>>>>> <https://www.chromestatus.com/>. >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>>> it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>> . >>>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>> it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com >>>>>>>>>>>>> >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+...@chromium.org. > > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org > > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/32c873f0-eece-4c92-bdf8-db19fe95d09bn%40chromium.org.
