Is the tested chrome browser managed using enterprise policies? It's possible an enterprise policy could be interfering with the finch fill switch.
On Thu, Aug 19, 2021 at 2:31 PM Daniel Bratell <bratel...@gmail.com> wrote: > I'm not in that engineering team but as far as I understand, the change > was done through the Finch system, which is settings your Chrome client > will regularly download from Google server. That might not happen > immediately which could possibly explain what you see. But maybe the team > can follow up with more information. > > /Daniel > On 2021-08-19 16:33, Pierce McGeough wrote: > > What is the current state of play with this? > > I thought *92.0.4515.157* was the most version of Chrome where the issue > was reverted. I downloaded *92.0.4515.107 *with it looking like it was > the most recent version to still have the blocker in place. > I also have 91.0.4472.144 on another machine. > > I tested no attribute, "sandbox", "sandbox='allow-scripts'" and > "sandbox='allow-scripts allow-modals''. I tested against running a script, > alert, confirm, print and prompt. All versions gave the same results. > > On Thursday, August 5, 2021 at 11:02:46 AM UTC+1 Daniel Bratell wrote: > >> Technically those are two different domains, even though they are likely >> controlled by the same party. There are ways to "join" different domains >> (like setting the document.domain >> <https://developer.mozilla.org/en-US/docs/Web/API/Document/domain> >> property), or identify which second level domains have only one >> controller <https://wiki.mozilla.org/Public_Suffix_List> and which has >> more, but they are unreliable and are being phased out >> <https://github.com/mikewest/deprecating-document-domain/>. >> >> You are right that this is a common setup in enterprises and that has to >> be considered when discussing how possibly malicious cross-origin alerts >> and prompts can be prevented. >> >> /Daniel >> On 2021-08-04 15:38, Hugo Leitao wrote: >> >> Why do you block for the same domain? Sample: https://123.mydomain.com >> and subframe https://abc.mydomain.com >> Too many corporate applications will be affected. Regards >> Em sexta-feira, 30 de julho de 2021 às 21:06:14 UTC-3, >> carl...@chromium.org escreveu: >> >>> We decided to disable this deprecation temporarily (for 2 weeks, until >>> August 15, 2021) to provide more time for websites to address the issues >>> caused by this change, or enroll affected origins in the origin trial. >>> If neither the origin trial or the enterprise policy address your >>> concerns, please comment in the implementation bug at crbug.com/1065085. >>> >>> The configuration to disable the deprecation should reach most Chrome >>> instances in a few hours, but in some cases might take longer. Chrome needs >>> to be restarted for the change to take effect. >>> >>> Thanks, >>> -Carlos >>> >>> On Fri, Jul 30, 2021 at 5:24 AM Pritpal Singh < >>> psi...@watermarkinsights.com> wrote: >>> >>>> If we use the document.domain='example.com' on the pages of our site >>>> under same domain, will the opening in iframe will be excluded from this >>>> impact? >>>> >>>> On Thursday, July 29, 2021 at 11:39:18 PM UTC+5:30 Manuel Torres wrote: >>>> >>>>> Thanks for the suggestion but it’s not the output what worries me but >>>>> the input instead. When teaching JavaScript to a 10 year old using prompts >>>>> was key for many exercises. At least there should be a setting to >>>>> momentarily disable this behavior. >>>>> >>>>> On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez < >>>>> carl...@google.com> wrote: >>>>> >>>>> >>>>> >>>>> For simple output when teaching, I'd recommend switching to >>>>> console.log, which would work in this case, and is more well suited for >>>>> that usecase. >>>>> >>>>> Temporarily, sites such as codepen can enroll in the trial to >>>>> maintain this functionality. >>>>> >>>>> On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres <torres...@gmail.com> >>>>> wrote: >>>>> >>>>>> We use sites such as codepen.io to deliver JavaScript training to >>>>>> many kids, since this update we can't do simple JavaScript prompts and >>>>>> alerts from codepen.io and many of our training material is now >>>>>> useless. >>>>>> >>>>>> Manuel Torres >>>>>> >>>>>> El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, >>>>>> carl...@google.com escribió: >>>>>> >>>>>>> Affected sites can use the origin trial to temporarily opt-out of >>>>>>> this change (additionally, in enterprise settings, an enterprise >>>>>>> policy >>>>>>> <https://chromeenterprise.google/policies/#SuppressDifferentOriginSubframeDialogs> >>>>>>> can be used to opt-out). As a permanent solution though, sites will >>>>>>> need to >>>>>>> stop relying on alert, confirm, and prompt, and will instead need to >>>>>>> implement similar functionality directly in the site. >>>>>>> >>>>>>> On Wed, Jul 28, 2021 at 12:06 AM Dmitry Liamtsev <lyam...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> This is very bad news for me. My corporative soft modules deployed >>>>>>>> on many ports and integrates with iframes... >>>>>>>> вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark: >>>>>>>> >>>>>>>>> Could you cancel the cross sub-domain block? >>>>>>>>> 在2021年7月13日星期二 UTC+8 上午1:06:21<carl...@google.com> 写道: >>>>>>>>> >>>>>>>>>> M92 will indeed enable the blocking of JS dialogs usage on >>>>>>>>>> different origin subframes by default on Stable. You can use the >>>>>>>>>> deprecation trial to temporarily bypass the block. >>>>>>>>>> >>>>>>>>>> -Carlos >>>>>>>>>> >>>>>>>>>> On Mon, Jul 12, 2021 at 5:14 AM Liang Stanley <kaika...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> I've found M92 beta has enable this feature. Does M92 >>>>>>>>>>> stable enable it by default? >>>>>>>>>>> I mean, cannot use alert(), confirm(). >>>>>>>>>>> >>>>>>>>>>> - Stanley >>>>>>>>>>> carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] 的信中寫道: >>>>>>>>>>> >>>>>>>>>>>> The plan is to keep the trial in until M96 >>>>>>>>>>>> >>>>>>>>>>>> -Carlos >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Jun 11, 2021 at 8:46 AM Chris Harrelson < >>>>>>>>>>>> chri...@chromium.org> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> How long do you intend to run the deprecation trial? There >>>>>>>>>>>>> should be a deadline in order to make clear to developers they >>>>>>>>>>>>> have a >>>>>>>>>>>>> limited time to fix their content. >>>>>>>>>>>>> >>>>>>>>>>>>> On Thu, Jun 10, 2021 at 8:36 PM Yoav Weiss < >>>>>>>>>>>>> yoav...@chromium.org> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> LGTM1 - a deprecation trial seems like a good way to >>>>>>>>>>>>>> (temporarily) resolve the issues we've run into when trying to >>>>>>>>>>>>>> remove this, >>>>>>>>>>>>>> and give developers more time to move away from current usage. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 1:57 AM 'Carlos Joan Rafael Ibarra >>>>>>>>>>>>>> Lopez' via blink-dev <blin...@chromium.org> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Contact emails carl...@chromium.org, mea...@chromium.org >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Explainer None >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Specification >>>>>>>>>>>>>>> https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Summary >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Chrome allows iframes to trigger Javascript dialogs, it >>>>>>>>>>>>>>> shows “<URL> says ...” when the iframe is the same origin as >>>>>>>>>>>>>>> the top frame, >>>>>>>>>>>>>>> and “An embedded page on this page says...” when the iframe is >>>>>>>>>>>>>>> cross-origin. The current UX is confusing, and has previously >>>>>>>>>>>>>>> led to spoofs >>>>>>>>>>>>>>> where sites pretend the message comes from Chrome or a >>>>>>>>>>>>>>> different website. >>>>>>>>>>>>>>> Removing support for cross origin iframes’ ability to trigger >>>>>>>>>>>>>>> the UI will >>>>>>>>>>>>>>> prevent this kind of spoofing, and unblock further UI >>>>>>>>>>>>>>> simplifications. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Blink component Blink>WindowDialog >>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> TAG review status Pending >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Risks >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> In total, around 0.009% of page loads would be affected by >>>>>>>>>>>>>>> the removal. We believe that core functionality will not be >>>>>>>>>>>>>>> severely >>>>>>>>>>>>>>> degraded, since the ability for users to disable JS prompts >>>>>>>>>>>>>>> means sites >>>>>>>>>>>>>>> already can’t rely on JS dialogs to always be displayed. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Gecko: Positive (https://github.com/whatwg/html/issues/5407) >>>>>>>>>>>>>>> Firefox has already implemented this behind a flag, and was >>>>>>>>>>>>>>> supportive of >>>>>>>>>>>>>>> the spec change. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> WebKit: Positive (https://github.com/whatwg/html/issues/5407) >>>>>>>>>>>>>>> Safari has not implemented, but they were supportive of the >>>>>>>>>>>>>>> spec change. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Web developers: No signals >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Security >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Expected to be security positive by reducing spoofing >>>>>>>>>>>>>>> surfaces. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Goals for experimentation >>>>>>>>>>>>>>> Origin-trial based opt out was suggested in intent to remove >>>>>>>>>>>>>>> to diminish breakage risks. See >>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ >>>>>>>>>>>>>>> for the relevant discusison. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Reason this experiment is being extended >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Ongoing technical constraints >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>>>> ? Yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Flag name SuppressDifferentOriginSubframeJSDialogs >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1065085 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>>> https://www.chromestatus.com/feature/5148698084376576 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>>>>>>>> <https://www.chromestatus.com/>. >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com >>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>> . >>>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>>> it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com >>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>> . >>>>>>>>>>>>>> >>>>>>>>>>>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7rkMj1r1BQVoO28rMKSR%2BHu%3DmPFSoOrUxLdEC-pSvvOq%3DP6A%40mail.gmail.com.