Does it mean that if I signup for the Origin Trials, I have until July 2022 to resolve this?
On Tuesday, 28 September 2021 at 06:35:07 UTC+8 carl...@chromium.org wrote: > This change remains disabled, and will be re-enabled at the earliest in > January 2022. When this is re-enabled, the enterprise policy and origin > trial opt outs will remain available for at least 6 months. > > -Carlos > > On Thu, Sep 23, 2021 at 9:44 PM Emmanuel Law <emmanu...@gmail.com> wrote: > >> What is the latest status of this? Ideally we would like more information >> on when this deprecation will take place so that we can strategize on a >> longer term solution vs a short term solution depending on the date. >> >> On Friday, August 20, 2021 at 12:16:59 PM UTC-7 carl...@chromium.org >> wrote: >> >>> Re: Stilll seeing the breakage, this was indeed disabled via Chrome >>> Variations, so if something is interfering with variations (like an >>> enterprise policy), that could be the reason you still see this. This was >>> also disabled in code starting in 92.0.4515.146. >>> >>> Re: A message in DevTools, we are planning to add a note in DevTools >>> about this API being deprecated. >>> >>> Re: Testing while this is disabled by default, you can do so by running >>> chrome with >>> the --enable-features="SuppressDifferentOriginSubframeJSDialogs" command >>> line flag >>> >>> -Carlos >>> >>> On Fri, Aug 20, 2021 at 12:11 AM Pritpal Singh < >>> psi...@watermarkinsights.com> wrote: >>> >>>> How can we re-enable this deprecation on latest version of chrome, we >>>> need it to test the alternatives. Please guide. >>>> >>>> On Friday, August 20, 2021 at 12:05:24 PM UTC+5:30 Yang Guo wrote: >>>> >>>>> Is there plans for a soft deprecation through DevTools? >>>>> >>>>> Instead of removing right away, you could raise issues in DevTools >>>>> when these APIs are used to warn developers of upcoming deprecation. >>>>> >>>>> On Thursday, August 19, 2021 at 8:36:16 PM UTC+2 wande...@chromium.org >>>>> wrote: >>>>> >>>>>> Is the tested chrome browser managed using enterprise policies? It's >>>>>> possible an enterprise policy could be interfering with the finch fill >>>>>> switch. >>>>>> >>>>>> On Thu, Aug 19, 2021 at 2:31 PM Daniel Bratell <brat...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> I'm not in that engineering team but as far as I understand, the >>>>>>> change was done through the Finch system, which is settings your Chrome >>>>>>> client will regularly download from Google server. That might not >>>>>>> happen >>>>>>> immediately which could possibly explain what you see. But maybe the >>>>>>> team >>>>>>> can follow up with more information. >>>>>>> >>>>>>> /Daniel >>>>>>> On 2021-08-19 16:33, Pierce McGeough wrote: >>>>>>> >>>>>>> What is the current state of play with this? >>>>>>> >>>>>>> I thought *92.0.4515.157* was the most version of Chrome where the >>>>>>> issue was reverted. I downloaded *92.0.4515.107 *with it looking >>>>>>> like it was the most recent version to still have the blocker in place. >>>>>>> I also have 91.0.4472.144 on another machine. >>>>>>> >>>>>>> I tested no attribute, "sandbox", "sandbox='allow-scripts'" and >>>>>>> "sandbox='allow-scripts allow-modals''. I tested against running a >>>>>>> script, >>>>>>> alert, confirm, print and prompt. All versions gave the same results. >>>>>>> >>>>>>> On Thursday, August 5, 2021 at 11:02:46 AM UTC+1 Daniel Bratell >>>>>>> wrote: >>>>>>> >>>>>>>> Technically those are two different domains, even though they are >>>>>>>> likely controlled by the same party. There are ways to "join" >>>>>>>> different >>>>>>>> domains (like setting the document.domain >>>>>>>> <https://developer.mozilla.org/en-US/docs/Web/API/Document/domain> >>>>>>>> property), or identify which second level domains have only one >>>>>>>> controller <https://wiki.mozilla.org/Public_Suffix_List> and which >>>>>>>> has more, but they are unreliable and are being phased out >>>>>>>> <https://github.com/mikewest/deprecating-document-domain/>. >>>>>>>> >>>>>>>> You are right that this is a common setup in enterprises and that >>>>>>>> has to be considered when discussing how possibly malicious >>>>>>>> cross-origin >>>>>>>> alerts and prompts can be prevented. >>>>>>>> >>>>>>>> /Daniel >>>>>>>> On 2021-08-04 15:38, Hugo Leitao wrote: >>>>>>>> >>>>>>>> Why do you block for the same domain? Sample: >>>>>>>> https://123.mydomain.com and subframe https://abc.mydomain.com >>>>>>>> Too many corporate applications will be affected. Regards >>>>>>>> Em sexta-feira, 30 de julho de 2021 às 21:06:14 UTC-3, >>>>>>>> carl...@chromium.org escreveu: >>>>>>>> >>>>>>>>> We decided to disable this deprecation temporarily (for 2 weeks, >>>>>>>>> until August 15, 2021) to provide more time for websites to address >>>>>>>>> the >>>>>>>>> issues caused by this change, or enroll affected origins in the >>>>>>>>> origin >>>>>>>>> trial. >>>>>>>>> If neither the origin trial or the enterprise policy address your >>>>>>>>> concerns, please comment in the implementation bug at >>>>>>>>> crbug.com/1065085. >>>>>>>>> >>>>>>>>> The configuration to disable the deprecation should reach most >>>>>>>>> Chrome instances in a few hours, but in some cases might take longer. >>>>>>>>> Chrome needs to be restarted for the change to take effect. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> -Carlos >>>>>>>>> >>>>>>>>> On Fri, Jul 30, 2021 at 5:24 AM Pritpal Singh < >>>>>>>>> psi...@watermarkinsights.com> wrote: >>>>>>>>> >>>>>>>>>> If we use the document.domain='example.com' on the pages of our >>>>>>>>>> site under same domain, will the opening in iframe will be excluded >>>>>>>>>> from >>>>>>>>>> this impact? >>>>>>>>>> >>>>>>>>>> On Thursday, July 29, 2021 at 11:39:18 PM UTC+5:30 Manuel Torres >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Thanks for the suggestion but it’s not the output what worries >>>>>>>>>>> me but the input instead. When teaching JavaScript to a 10 year old >>>>>>>>>>> using >>>>>>>>>>> prompts was key for many exercises. At least there should be a >>>>>>>>>>> setting to >>>>>>>>>>> momentarily disable this behavior. >>>>>>>>>>> >>>>>>>>>>> On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez < >>>>>>>>>>> carl...@google.com> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> For simple output when teaching, I'd recommend switching to >>>>>>>>>>> console.log, which would work in this case, and is more well suited >>>>>>>>>>> for >>>>>>>>>>> that usecase. >>>>>>>>>>> >>>>>>>>>>> Temporarily, sites such as codepen can enroll in the trial to >>>>>>>>>>> maintain this functionality. >>>>>>>>>>> >>>>>>>>>>> On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres < >>>>>>>>>>> torres...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> We use sites such as codepen.io to deliver JavaScript training >>>>>>>>>>>> to many kids, since this update we can't do simple JavaScript >>>>>>>>>>>> prompts and >>>>>>>>>>>> alerts from codepen.io and many of our training material is >>>>>>>>>>>> now useless. >>>>>>>>>>>> >>>>>>>>>>>> Manuel Torres >>>>>>>>>>>> >>>>>>>>>>>> El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, >>>>>>>>>>>> carl...@google.com escribió: >>>>>>>>>>>> >>>>>>>>>>>>> Affected sites can use the origin trial to temporarily opt-out >>>>>>>>>>>>> of this change (additionally, in enterprise settings, an >>>>>>>>>>>>> enterprise >>>>>>>>>>>>> policy >>>>>>>>>>>>> <https://chromeenterprise.google/policies/#SuppressDifferentOriginSubframeDialogs> >>>>>>>>>>>>> >>>>>>>>>>>>> can be used to opt-out). As a permanent solution though, sites >>>>>>>>>>>>> will need to >>>>>>>>>>>>> stop relying on alert, confirm, and prompt, and will instead need >>>>>>>>>>>>> to >>>>>>>>>>>>> implement similar functionality directly in the site. >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Jul 28, 2021 at 12:06 AM Dmitry Liamtsev < >>>>>>>>>>>>> lyam...@gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> This is very bad news for me. My corporative soft modules >>>>>>>>>>>>>> deployed on many ports and integrates with iframes... >>>>>>>>>>>>>> вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Could you cancel the cross sub-domain block? >>>>>>>>>>>>>>> 在2021年7月13日星期二 UTC+8 上午1:06:21<carl...@google.com> 写道: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> M92 will indeed enable the blocking of JS dialogs usage on >>>>>>>>>>>>>>>> different origin subframes by default on Stable. You can use >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> deprecation trial to temporarily bypass the block. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -Carlos >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Mon, Jul 12, 2021 at 5:14 AM Liang Stanley < >>>>>>>>>>>>>>>> kaika...@gmail.com> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I've found M92 beta has enable this feature. Does M92 >>>>>>>>>>>>>>>>> stable enable it by default? >>>>>>>>>>>>>>>>> I mean, cannot use alert(), confirm(). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - Stanley >>>>>>>>>>>>>>>>> carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] >>>>>>>>>>>>>>>>> 的信中寫道: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The plan is to keep the trial in until M96 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -Carlos >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 8:46 AM Chris Harrelson < >>>>>>>>>>>>>>>>>> chri...@chromium.org> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> How long do you intend to run the deprecation trial? >>>>>>>>>>>>>>>>>>> There should be a deadline in order to make clear to >>>>>>>>>>>>>>>>>>> developers they have a >>>>>>>>>>>>>>>>>>> limited time to fix their content. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Thu, Jun 10, 2021 at 8:36 PM Yoav Weiss < >>>>>>>>>>>>>>>>>>> yoav...@chromium.org> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> LGTM1 - a deprecation trial seems like a good way to >>>>>>>>>>>>>>>>>>>> (temporarily) resolve the issues we've run into when >>>>>>>>>>>>>>>>>>>> trying to remove this, >>>>>>>>>>>>>>>>>>>> and give developers more time to move away from current >>>>>>>>>>>>>>>>>>>> usage. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 1:57 AM 'Carlos Joan Rafael >>>>>>>>>>>>>>>>>>>> Ibarra Lopez' via blink-dev <blin...@chromium.org> >>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Contact emails carl...@chromium.org, >>>>>>>>>>>>>>>>>>>>> mea...@chromium.org >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Explainer None >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Specification >>>>>>>>>>>>>>>>>>>>> https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Summary >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Chrome allows iframes to trigger Javascript dialogs, >>>>>>>>>>>>>>>>>>>>> it shows “<URL> says ...” when the iframe is the same >>>>>>>>>>>>>>>>>>>>> origin as the top >>>>>>>>>>>>>>>>>>>>> frame, and “An embedded page on this page says...” when >>>>>>>>>>>>>>>>>>>>> the iframe is >>>>>>>>>>>>>>>>>>>>> cross-origin. The current UX is confusing, and has >>>>>>>>>>>>>>>>>>>>> previously led to spoofs >>>>>>>>>>>>>>>>>>>>> where sites pretend the message comes from Chrome or a >>>>>>>>>>>>>>>>>>>>> different website. >>>>>>>>>>>>>>>>>>>>> Removing support for cross origin iframes’ ability to >>>>>>>>>>>>>>>>>>>>> trigger the UI will >>>>>>>>>>>>>>>>>>>>> prevent this kind of spoofing, and unblock further UI >>>>>>>>>>>>>>>>>>>>> simplifications. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Blink component Blink>WindowDialog >>>>>>>>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> TAG review status Pending >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Risks >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> In total, around 0.009% of page loads would be >>>>>>>>>>>>>>>>>>>>> affected by the removal. We believe that core >>>>>>>>>>>>>>>>>>>>> functionality will not be >>>>>>>>>>>>>>>>>>>>> severely degraded, since the ability for users to disable >>>>>>>>>>>>>>>>>>>>> JS prompts means >>>>>>>>>>>>>>>>>>>>> sites already can’t rely on JS dialogs to always be >>>>>>>>>>>>>>>>>>>>> displayed. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Gecko: Positive ( >>>>>>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Firefox >>>>>>>>>>>>>>>>>>>>> has already implemented this behind a flag, and was >>>>>>>>>>>>>>>>>>>>> supportive of the spec >>>>>>>>>>>>>>>>>>>>> change. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> WebKit: Positive ( >>>>>>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Safari >>>>>>>>>>>>>>>>>>>>> has not implemented, but they were supportive of the spec >>>>>>>>>>>>>>>>>>>>> change. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Web developers: No signals >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Security >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Expected to be security positive by reducing spoofing >>>>>>>>>>>>>>>>>>>>> surfaces. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Goals for experimentation >>>>>>>>>>>>>>>>>>>>> Origin-trial based opt out was suggested in intent to >>>>>>>>>>>>>>>>>>>>> remove to diminish breakage risks. See >>>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> for the relevant discusison. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Reason this experiment is being extended >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Ongoing technical constraints >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Will this feature be supported on all six Blink >>>>>>>>>>>>>>>>>>>>> platforms (Windows, Mac, Linux, Chrome OS, Android, and >>>>>>>>>>>>>>>>>>>>> Android WebView)? >>>>>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>>>>>>>>>> ? Yes >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Flag name SuppressDifferentOriginSubframeJSDialogs >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1065085 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>>>>>>>>> https://www.chromestatus.com/feature/5148698084376576 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> This intent message was generated by Chrome Platform >>>>>>>>>>>>>>>>>>>>> Status <https://www.chromestatus.com/>. >>>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>>> You received this message because you are subscribed >>>>>>>>>>>>>>>>>>>>> to the Google Groups "blink-dev" group. >>>>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving >>>>>>>>>>>>>>>>>>>>> emails from it, send an email to >>>>>>>>>>>>>>>>>>>>> blink-dev+...@chromium.org. >>>>>>>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> You received this message because you are subscribed to >>>>>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group. >>>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving >>>>>>>>>>>>>>>>>>>> emails from it, send an email to >>>>>>>>>>>>>>>>>>>> blink-dev+...@chromium.org. >>>>>>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to blink-dev+...@chromium.org. >>>>>>>> >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org >>>>>>>> >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to blink-dev+...@chromium.org. >>>>>>> >>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com >>>>>>> >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/cdeef0bd-40b9-46bd-bca2-98a881e1ccbcn%40chromium.org.
