On Mon, May 11, 2015 at 4:02 PM, Chris Coyier <chriscoy...@gmail.com> wrote:
> I'd think popups would be killed by default and allow-popups would allow > them. Or if you need a new value, allow-obnoxious-things could work ;) > I would prefer to simply remove the functionality. :) If we do decide that we need `alert()` and friends, I would suggest that `allow-popups` is the wrong flag to use. The advertising use case I noted at the top pretty much requires `window.open`/`target="_blank"` to work correctly. If those only work when `alert()` is enabled, then we wouldn't solve the issue. > Like navigator.geolocation (so we regex and strip it). > I think permissions for iframes in general are a separate question, but an important one to deal with. > The worst offender: linking to things that are .htpasswd protected and it > pops up that authentication modal. > I wouldn't be terribly averse to dropping support for that inside a sandbox. Especially a sandbox without `allow-same-origin`. -mike -- Mike West <mk...@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
