This change remains disabled, and will be re-enabled at the earliest in January 2022. When this is re-enabled, the enterprise policy and origin trial opt outs will remain available for at least 6 months.
-Carlos On Thu, Sep 23, 2021 at 9:44 PM Emmanuel Law <emmanuel....@gmail.com> wrote: > What is the latest status of this? Ideally we would like more information > on when this deprecation will take place so that we can strategize on a > longer term solution vs a short term solution depending on the date. > > On Friday, August 20, 2021 at 12:16:59 PM UTC-7 carl...@chromium.org > wrote: > >> Re: Stilll seeing the breakage, this was indeed disabled via Chrome >> Variations, so if something is interfering with variations (like an >> enterprise policy), that could be the reason you still see this. This was >> also disabled in code starting in 92.0.4515.146. >> >> Re: A message in DevTools, we are planning to add a note in DevTools >> about this API being deprecated. >> >> Re: Testing while this is disabled by default, you can do so by running >> chrome with >> the --enable-features="SuppressDifferentOriginSubframeJSDialogs" command >> line flag >> >> -Carlos >> >> On Fri, Aug 20, 2021 at 12:11 AM Pritpal Singh < >> psi...@watermarkinsights.com> wrote: >> >>> How can we re-enable this deprecation on latest version of chrome, we >>> need it to test the alternatives. Please guide. >>> >>> On Friday, August 20, 2021 at 12:05:24 PM UTC+5:30 Yang Guo wrote: >>> >>>> Is there plans for a soft deprecation through DevTools? >>>> >>>> Instead of removing right away, you could raise issues in DevTools >>>> when these APIs are used to warn developers of upcoming deprecation. >>>> >>>> On Thursday, August 19, 2021 at 8:36:16 PM UTC+2 wande...@chromium.org >>>> wrote: >>>> >>>>> Is the tested chrome browser managed using enterprise policies? It's >>>>> possible an enterprise policy could be interfering with the finch fill >>>>> switch. >>>>> >>>>> On Thu, Aug 19, 2021 at 2:31 PM Daniel Bratell <brat...@gmail.com> >>>>> wrote: >>>>> >>>>>> I'm not in that engineering team but as far as I understand, the >>>>>> change was done through the Finch system, which is settings your Chrome >>>>>> client will regularly download from Google server. That might not happen >>>>>> immediately which could possibly explain what you see. But maybe the team >>>>>> can follow up with more information. >>>>>> >>>>>> /Daniel >>>>>> On 2021-08-19 16:33, Pierce McGeough wrote: >>>>>> >>>>>> What is the current state of play with this? >>>>>> >>>>>> I thought *92.0.4515.157* was the most version of Chrome where the >>>>>> issue was reverted. I downloaded *92.0.4515.107 *with it looking >>>>>> like it was the most recent version to still have the blocker in place. >>>>>> I also have 91.0.4472.144 on another machine. >>>>>> >>>>>> I tested no attribute, "sandbox", "sandbox='allow-scripts'" and >>>>>> "sandbox='allow-scripts allow-modals''. I tested against running a >>>>>> script, >>>>>> alert, confirm, print and prompt. All versions gave the same results. >>>>>> >>>>>> On Thursday, August 5, 2021 at 11:02:46 AM UTC+1 Daniel Bratell wrote: >>>>>> >>>>>>> Technically those are two different domains, even though they are >>>>>>> likely controlled by the same party. There are ways to "join" different >>>>>>> domains (like setting the document.domain >>>>>>> <https://developer.mozilla.org/en-US/docs/Web/API/Document/domain> >>>>>>> property), or identify which second level domains have only one >>>>>>> controller <https://wiki.mozilla.org/Public_Suffix_List> and which >>>>>>> has more, but they are unreliable and are being phased out >>>>>>> <https://github.com/mikewest/deprecating-document-domain/>. >>>>>>> >>>>>>> You are right that this is a common setup in enterprises and that >>>>>>> has to be considered when discussing how possibly malicious cross-origin >>>>>>> alerts and prompts can be prevented. >>>>>>> >>>>>>> /Daniel >>>>>>> On 2021-08-04 15:38, Hugo Leitao wrote: >>>>>>> >>>>>>> Why do you block for the same domain? Sample: >>>>>>> https://123.mydomain.com and subframe https://abc.mydomain.com >>>>>>> Too many corporate applications will be affected. Regards >>>>>>> Em sexta-feira, 30 de julho de 2021 às 21:06:14 UTC-3, >>>>>>> carl...@chromium.org escreveu: >>>>>>> >>>>>>>> We decided to disable this deprecation temporarily (for 2 weeks, >>>>>>>> until August 15, 2021) to provide more time for websites to address the >>>>>>>> issues caused by this change, or enroll affected origins in the origin >>>>>>>> trial. >>>>>>>> If neither the origin trial or the enterprise policy address your >>>>>>>> concerns, please comment in the implementation bug at >>>>>>>> crbug.com/1065085. >>>>>>>> >>>>>>>> The configuration to disable the deprecation should reach most >>>>>>>> Chrome instances in a few hours, but in some cases might take longer. >>>>>>>> Chrome needs to be restarted for the change to take effect. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> -Carlos >>>>>>>> >>>>>>>> On Fri, Jul 30, 2021 at 5:24 AM Pritpal Singh < >>>>>>>> psi...@watermarkinsights.com> wrote: >>>>>>>> >>>>>>>>> If we use the document.domain='example.com' on the pages of our >>>>>>>>> site under same domain, will the opening in iframe will be excluded >>>>>>>>> from >>>>>>>>> this impact? >>>>>>>>> >>>>>>>>> On Thursday, July 29, 2021 at 11:39:18 PM UTC+5:30 Manuel Torres >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Thanks for the suggestion but it’s not the output what worries me >>>>>>>>>> but the input instead. When teaching JavaScript to a 10 year old >>>>>>>>>> using >>>>>>>>>> prompts was key for many exercises. At least there should be a >>>>>>>>>> setting to >>>>>>>>>> momentarily disable this behavior. >>>>>>>>>> >>>>>>>>>> On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez < >>>>>>>>>> carl...@google.com> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> For simple output when teaching, I'd recommend switching to >>>>>>>>>> console.log, which would work in this case, and is more well suited >>>>>>>>>> for >>>>>>>>>> that usecase. >>>>>>>>>> >>>>>>>>>> Temporarily, sites such as codepen can enroll in the trial to >>>>>>>>>> maintain this functionality. >>>>>>>>>> >>>>>>>>>> On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres < >>>>>>>>>> torres...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> We use sites such as codepen.io to deliver JavaScript training >>>>>>>>>>> to many kids, since this update we can't do simple JavaScript >>>>>>>>>>> prompts and >>>>>>>>>>> alerts from codepen.io and many of our training material is now >>>>>>>>>>> useless. >>>>>>>>>>> >>>>>>>>>>> Manuel Torres >>>>>>>>>>> >>>>>>>>>>> El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, >>>>>>>>>>> carl...@google.com escribió: >>>>>>>>>>> >>>>>>>>>>>> Affected sites can use the origin trial to temporarily opt-out >>>>>>>>>>>> of this change (additionally, in enterprise settings, an enterprise >>>>>>>>>>>> policy >>>>>>>>>>>> <https://chromeenterprise.google/policies/#SuppressDifferentOriginSubframeDialogs> >>>>>>>>>>>> can be used to opt-out). As a permanent solution though, sites >>>>>>>>>>>> will need to >>>>>>>>>>>> stop relying on alert, confirm, and prompt, and will instead need >>>>>>>>>>>> to >>>>>>>>>>>> implement similar functionality directly in the site. >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Jul 28, 2021 at 12:06 AM Dmitry Liamtsev < >>>>>>>>>>>> lyam...@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> This is very bad news for me. My corporative soft modules >>>>>>>>>>>>> deployed on many ports and integrates with iframes... >>>>>>>>>>>>> вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark: >>>>>>>>>>>>> >>>>>>>>>>>>>> Could you cancel the cross sub-domain block? >>>>>>>>>>>>>> 在2021年7月13日星期二 UTC+8 上午1:06:21<carl...@google.com> 写道: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> M92 will indeed enable the blocking of JS dialogs usage on >>>>>>>>>>>>>>> different origin subframes by default on Stable. You can use the >>>>>>>>>>>>>>> deprecation trial to temporarily bypass the block. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -Carlos >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Jul 12, 2021 at 5:14 AM Liang Stanley < >>>>>>>>>>>>>>> kaika...@gmail.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I've found M92 beta has enable this feature. Does M92 >>>>>>>>>>>>>>>> stable enable it by default? >>>>>>>>>>>>>>>> I mean, cannot use alert(), confirm(). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - Stanley >>>>>>>>>>>>>>>> carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] >>>>>>>>>>>>>>>> 的信中寫道: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The plan is to keep the trial in until M96 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -Carlos >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 8:46 AM Chris Harrelson < >>>>>>>>>>>>>>>>> chri...@chromium.org> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> How long do you intend to run the deprecation trial? >>>>>>>>>>>>>>>>>> There should be a deadline in order to make clear to >>>>>>>>>>>>>>>>>> developers they have a >>>>>>>>>>>>>>>>>> limited time to fix their content. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Thu, Jun 10, 2021 at 8:36 PM Yoav Weiss < >>>>>>>>>>>>>>>>>> yoav...@chromium.org> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> LGTM1 - a deprecation trial seems like a good way to >>>>>>>>>>>>>>>>>>> (temporarily) resolve the issues we've run into when trying >>>>>>>>>>>>>>>>>>> to remove this, >>>>>>>>>>>>>>>>>>> and give developers more time to move away from current >>>>>>>>>>>>>>>>>>> usage. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 1:57 AM 'Carlos Joan Rafael >>>>>>>>>>>>>>>>>>> Ibarra Lopez' via blink-dev <blin...@chromium.org> >>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Contact emails carl...@chromium.org, >>>>>>>>>>>>>>>>>>>> mea...@chromium.org >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Explainer None >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Specification >>>>>>>>>>>>>>>>>>>> https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Summary >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Chrome allows iframes to trigger Javascript dialogs, it >>>>>>>>>>>>>>>>>>>> shows “<URL> says ...” when the iframe is the same origin >>>>>>>>>>>>>>>>>>>> as the top frame, >>>>>>>>>>>>>>>>>>>> and “An embedded page on this page says...” when the >>>>>>>>>>>>>>>>>>>> iframe is >>>>>>>>>>>>>>>>>>>> cross-origin. The current UX is confusing, and has >>>>>>>>>>>>>>>>>>>> previously led to spoofs >>>>>>>>>>>>>>>>>>>> where sites pretend the message comes from Chrome or a >>>>>>>>>>>>>>>>>>>> different website. >>>>>>>>>>>>>>>>>>>> Removing support for cross origin iframes’ ability to >>>>>>>>>>>>>>>>>>>> trigger the UI will >>>>>>>>>>>>>>>>>>>> prevent this kind of spoofing, and unblock further UI >>>>>>>>>>>>>>>>>>>> simplifications. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Blink component Blink>WindowDialog >>>>>>>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> TAG review status Pending >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Risks >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> In total, around 0.009% of page loads would be affected >>>>>>>>>>>>>>>>>>>> by the removal. We believe that core functionality will >>>>>>>>>>>>>>>>>>>> not be severely >>>>>>>>>>>>>>>>>>>> degraded, since the ability for users to disable JS >>>>>>>>>>>>>>>>>>>> prompts means sites >>>>>>>>>>>>>>>>>>>> already can’t rely on JS dialogs to always be displayed. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Gecko: Positive ( >>>>>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Firefox >>>>>>>>>>>>>>>>>>>> has already implemented this behind a flag, and was >>>>>>>>>>>>>>>>>>>> supportive of the spec >>>>>>>>>>>>>>>>>>>> change. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> WebKit: Positive ( >>>>>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Safari has >>>>>>>>>>>>>>>>>>>> not implemented, but they were supportive of the spec >>>>>>>>>>>>>>>>>>>> change. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Web developers: No signals >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Security >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Expected to be security positive by reducing spoofing >>>>>>>>>>>>>>>>>>>> surfaces. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Goals for experimentation >>>>>>>>>>>>>>>>>>>> Origin-trial based opt out was suggested in intent to >>>>>>>>>>>>>>>>>>>> remove to diminish breakage risks. See >>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ >>>>>>>>>>>>>>>>>>>> for the relevant discusison. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Reason this experiment is being extended >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Ongoing technical constraints >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Will this feature be supported on all six Blink >>>>>>>>>>>>>>>>>>>> platforms (Windows, Mac, Linux, Chrome OS, Android, and >>>>>>>>>>>>>>>>>>>> Android WebView)? >>>>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>>>>>>>>> ? Yes >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Flag name SuppressDifferentOriginSubframeJSDialogs >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1065085 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>>>>>>>> https://www.chromestatus.com/feature/5148698084376576 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> This intent message was generated by Chrome Platform >>>>>>>>>>>>>>>>>>>> Status <https://www.chromestatus.com/>. >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> You received this message because you are subscribed to >>>>>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group. >>>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving >>>>>>>>>>>>>>>>>>>> emails from it, send an email to >>>>>>>>>>>>>>>>>>>> blink-dev+...@chromium.org. >>>>>>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com >>>>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> You received this message because you are subscribed to >>>>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group. >>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com >>>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to blink-dev+...@chromium.org. >>>>>>> >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to blink-dev+...@chromium.org. >>>>>> >>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUh3dC7cXLWQLA5ZshTgA5KcXG5AA2x%2BRrJbKUv3OtVDw%40mail.gmail.com.
