Is there plans for a soft deprecation through DevTools? Instead of removing right away, you could raise issues in DevTools when these APIs are used to warn developers of upcoming deprecation.
On Thursday, August 19, 2021 at 8:36:16 PM UTC+2 wande...@chromium.org wrote: > Is the tested chrome browser managed using enterprise policies? It's > possible an enterprise policy could be interfering with the finch fill > switch. > > On Thu, Aug 19, 2021 at 2:31 PM Daniel Bratell <brat...@gmail.com> wrote: > >> I'm not in that engineering team but as far as I understand, the change >> was done through the Finch system, which is settings your Chrome client >> will regularly download from Google server. That might not happen >> immediately which could possibly explain what you see. But maybe the team >> can follow up with more information. >> >> /Daniel >> On 2021-08-19 16:33, Pierce McGeough wrote: >> >> What is the current state of play with this? >> >> I thought *92.0.4515.157* was the most version of Chrome where the issue >> was reverted. I downloaded *92.0.4515.107 *with it looking like it was >> the most recent version to still have the blocker in place. >> I also have 91.0.4472.144 on another machine. >> >> I tested no attribute, "sandbox", "sandbox='allow-scripts'" and >> "sandbox='allow-scripts allow-modals''. I tested against running a script, >> alert, confirm, print and prompt. All versions gave the same results. >> >> On Thursday, August 5, 2021 at 11:02:46 AM UTC+1 Daniel Bratell wrote: >> >>> Technically those are two different domains, even though they are likely >>> controlled by the same party. There are ways to "join" different domains >>> (like setting the document.domain >>> <https://developer.mozilla.org/en-US/docs/Web/API/Document/domain> >>> property), or identify which second level domains have only one >>> controller <https://wiki.mozilla.org/Public_Suffix_List> and which has >>> more, but they are unreliable and are being phased out >>> <https://github.com/mikewest/deprecating-document-domain/>. >>> >>> You are right that this is a common setup in enterprises and that has to >>> be considered when discussing how possibly malicious cross-origin alerts >>> and prompts can be prevented. >>> >>> /Daniel >>> On 2021-08-04 15:38, Hugo Leitao wrote: >>> >>> Why do you block for the same domain? Sample: https://123.mydomain.com >>> and subframe https://abc.mydomain.com >>> Too many corporate applications will be affected. Regards >>> Em sexta-feira, 30 de julho de 2021 às 21:06:14 UTC-3, >>> carl...@chromium.org escreveu: >>> >>>> We decided to disable this deprecation temporarily (for 2 weeks, until >>>> August 15, 2021) to provide more time for websites to address the issues >>>> caused by this change, or enroll affected origins in the origin trial. >>>> If neither the origin trial or the enterprise policy address your >>>> concerns, please comment in the implementation bug at crbug.com/1065085 >>>> . >>>> >>>> The configuration to disable the deprecation should reach most Chrome >>>> instances in a few hours, but in some cases might take longer. Chrome >>>> needs >>>> to be restarted for the change to take effect. >>>> >>>> Thanks, >>>> -Carlos >>>> >>>> On Fri, Jul 30, 2021 at 5:24 AM Pritpal Singh < >>>> psi...@watermarkinsights.com> wrote: >>>> >>>>> If we use the document.domain='example.com' on the pages of our site >>>>> under same domain, will the opening in iframe will be excluded from this >>>>> impact? >>>>> >>>>> On Thursday, July 29, 2021 at 11:39:18 PM UTC+5:30 Manuel Torres wrote: >>>>> >>>>>> Thanks for the suggestion but it’s not the output what worries me but >>>>>> the input instead. When teaching JavaScript to a 10 year old using >>>>>> prompts >>>>>> was key for many exercises. At least there should be a setting to >>>>>> momentarily disable this behavior. >>>>>> >>>>>> On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez < >>>>>> carl...@google.com> wrote: >>>>>> >>>>>> >>>>>> >>>>>> For simple output when teaching, I'd recommend switching to >>>>>> console.log, which would work in this case, and is more well suited for >>>>>> that usecase. >>>>>> >>>>>> Temporarily, sites such as codepen can enroll in the trial to >>>>>> maintain this functionality. >>>>>> >>>>>> On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres <torres...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> We use sites such as codepen.io to deliver JavaScript training to >>>>>>> many kids, since this update we can't do simple JavaScript prompts and >>>>>>> alerts from codepen.io and many of our training material is now >>>>>>> useless. >>>>>>> >>>>>>> Manuel Torres >>>>>>> >>>>>>> El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, >>>>>>> carl...@google.com escribió: >>>>>>> >>>>>>>> Affected sites can use the origin trial to temporarily opt-out of >>>>>>>> this change (additionally, in enterprise settings, an enterprise >>>>>>>> policy >>>>>>>> <https://chromeenterprise.google/policies/#SuppressDifferentOriginSubframeDialogs> >>>>>>>> >>>>>>>> can be used to opt-out). As a permanent solution though, sites will >>>>>>>> need to >>>>>>>> stop relying on alert, confirm, and prompt, and will instead need to >>>>>>>> implement similar functionality directly in the site. >>>>>>>> >>>>>>>> On Wed, Jul 28, 2021 at 12:06 AM Dmitry Liamtsev <lyam...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> This is very bad news for me. My corporative soft modules deployed >>>>>>>>> on many ports and integrates with iframes... >>>>>>>>> вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark: >>>>>>>>> >>>>>>>>>> Could you cancel the cross sub-domain block? >>>>>>>>>> 在2021年7月13日星期二 UTC+8 上午1:06:21<carl...@google.com> 写道: >>>>>>>>>> >>>>>>>>>>> M92 will indeed enable the blocking of JS dialogs usage on >>>>>>>>>>> different origin subframes by default on Stable. You can use the >>>>>>>>>>> deprecation trial to temporarily bypass the block. >>>>>>>>>>> >>>>>>>>>>> -Carlos >>>>>>>>>>> >>>>>>>>>>> On Mon, Jul 12, 2021 at 5:14 AM Liang Stanley < >>>>>>>>>>> kaika...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> I've found M92 beta has enable this feature. Does M92 >>>>>>>>>>>> stable enable it by default? >>>>>>>>>>>> I mean, cannot use alert(), confirm(). >>>>>>>>>>>> >>>>>>>>>>>> - Stanley >>>>>>>>>>>> carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] 的信中寫道: >>>>>>>>>>>> >>>>>>>>>>>>> The plan is to keep the trial in until M96 >>>>>>>>>>>>> >>>>>>>>>>>>> -Carlos >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Jun 11, 2021 at 8:46 AM Chris Harrelson < >>>>>>>>>>>>> chri...@chromium.org> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> How long do you intend to run the deprecation trial? There >>>>>>>>>>>>>> should be a deadline in order to make clear to developers they >>>>>>>>>>>>>> have a >>>>>>>>>>>>>> limited time to fix their content. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Thu, Jun 10, 2021 at 8:36 PM Yoav Weiss < >>>>>>>>>>>>>> yoav...@chromium.org> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> LGTM1 - a deprecation trial seems like a good way to >>>>>>>>>>>>>>> (temporarily) resolve the issues we've run into when trying to >>>>>>>>>>>>>>> remove this, >>>>>>>>>>>>>>> and give developers more time to move away from current usage. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 1:57 AM 'Carlos Joan Rafael Ibarra >>>>>>>>>>>>>>> Lopez' via blink-dev <blin...@chromium.org> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Contact emails carl...@chromium.org, mea...@chromium.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Explainer None >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Specification >>>>>>>>>>>>>>>> https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Summary >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Chrome allows iframes to trigger Javascript dialogs, it >>>>>>>>>>>>>>>> shows “<URL> says ...” when the iframe is the same origin as >>>>>>>>>>>>>>>> the top frame, >>>>>>>>>>>>>>>> and “An embedded page on this page says...” when the iframe is >>>>>>>>>>>>>>>> cross-origin. The current UX is confusing, and has previously >>>>>>>>>>>>>>>> led to spoofs >>>>>>>>>>>>>>>> where sites pretend the message comes from Chrome or a >>>>>>>>>>>>>>>> different website. >>>>>>>>>>>>>>>> Removing support for cross origin iframes’ ability to trigger >>>>>>>>>>>>>>>> the UI will >>>>>>>>>>>>>>>> prevent this kind of spoofing, and unblock further UI >>>>>>>>>>>>>>>> simplifications. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Blink component Blink>WindowDialog >>>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> TAG review status Pending >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Risks >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> In total, around 0.009% of page loads would be affected by >>>>>>>>>>>>>>>> the removal. We believe that core functionality will not be >>>>>>>>>>>>>>>> severely >>>>>>>>>>>>>>>> degraded, since the ability for users to disable JS prompts >>>>>>>>>>>>>>>> means sites >>>>>>>>>>>>>>>> already can’t rely on JS dialogs to always be displayed. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Gecko: Positive (https://github.com/whatwg/html/issues/5407) >>>>>>>>>>>>>>>> Firefox has already implemented this behind a flag, and was >>>>>>>>>>>>>>>> supportive of >>>>>>>>>>>>>>>> the spec change. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> WebKit: Positive ( >>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Safari has not >>>>>>>>>>>>>>>> implemented, but they were supportive of the spec change. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Web developers: No signals >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Security >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Expected to be security positive by reducing spoofing >>>>>>>>>>>>>>>> surfaces. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Goals for experimentation >>>>>>>>>>>>>>>> Origin-trial based opt out was suggested in intent to >>>>>>>>>>>>>>>> remove to diminish breakage risks. See >>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> for the relevant discusison. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Reason this experiment is being extended >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Ongoing technical constraints >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android >>>>>>>>>>>>>>>> WebView)? >>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>>>>> ? Yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Flag name SuppressDifferentOriginSubframeJSDialogs >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1065085 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>>>> https://www.chromestatus.com/feature/5148698084376576 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>>>>>>>>> <https://www.chromestatus.com/>. >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>> . >>>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+...@chromium.org. >>> >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> > To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fc1b1f70-b401-422b-8c4f-ebc570ed46f3n%40chromium.org.
