How can we re-enable this deprecation on latest version of chrome, we need it to test the alternatives. Please guide.
On Friday, August 20, 2021 at 12:05:24 PM UTC+5:30 Yang Guo wrote: > Is there plans for a soft deprecation through DevTools? > > Instead of removing right away, you could raise issues in DevTools when > these APIs are used to warn developers of upcoming deprecation. > > On Thursday, August 19, 2021 at 8:36:16 PM UTC+2 wande...@chromium.org > wrote: > >> Is the tested chrome browser managed using enterprise policies? It's >> possible an enterprise policy could be interfering with the finch fill >> switch. >> >> On Thu, Aug 19, 2021 at 2:31 PM Daniel Bratell <brat...@gmail.com> wrote: >> >>> I'm not in that engineering team but as far as I understand, the change >>> was done through the Finch system, which is settings your Chrome client >>> will regularly download from Google server. That might not happen >>> immediately which could possibly explain what you see. But maybe the team >>> can follow up with more information. >>> >>> /Daniel >>> On 2021-08-19 16:33, Pierce McGeough wrote: >>> >>> What is the current state of play with this? >>> >>> I thought *92.0.4515.157* was the most version of Chrome where the >>> issue was reverted. I downloaded *92.0.4515.107 *with it looking like >>> it was the most recent version to still have the blocker in place. >>> I also have 91.0.4472.144 on another machine. >>> >>> I tested no attribute, "sandbox", "sandbox='allow-scripts'" and >>> "sandbox='allow-scripts allow-modals''. I tested against running a script, >>> alert, confirm, print and prompt. All versions gave the same results. >>> >>> On Thursday, August 5, 2021 at 11:02:46 AM UTC+1 Daniel Bratell wrote: >>> >>>> Technically those are two different domains, even though they are >>>> likely controlled by the same party. There are ways to "join" different >>>> domains (like setting the document.domain >>>> <https://developer.mozilla.org/en-US/docs/Web/API/Document/domain> >>>> property), or identify which second level domains have only one >>>> controller <https://wiki.mozilla.org/Public_Suffix_List> and which has >>>> more, but they are unreliable and are being phased out >>>> <https://github.com/mikewest/deprecating-document-domain/>. >>>> >>>> You are right that this is a common setup in enterprises and that has >>>> to be considered when discussing how possibly malicious cross-origin >>>> alerts >>>> and prompts can be prevented. >>>> >>>> /Daniel >>>> On 2021-08-04 15:38, Hugo Leitao wrote: >>>> >>>> Why do you block for the same domain? Sample: https://123.mydomain.com >>>> and subframe https://abc.mydomain.com >>>> Too many corporate applications will be affected. Regards >>>> Em sexta-feira, 30 de julho de 2021 às 21:06:14 UTC-3, >>>> carl...@chromium.org escreveu: >>>> >>>>> We decided to disable this deprecation temporarily (for 2 weeks, until >>>>> August 15, 2021) to provide more time for websites to address the issues >>>>> caused by this change, or enroll affected origins in the origin trial. >>>>> If neither the origin trial or the enterprise policy address your >>>>> concerns, please comment in the implementation bug at >>>>> crbug.com/1065085. >>>>> >>>>> The configuration to disable the deprecation should reach most Chrome >>>>> instances in a few hours, but in some cases might take longer. Chrome >>>>> needs >>>>> to be restarted for the change to take effect. >>>>> >>>>> Thanks, >>>>> -Carlos >>>>> >>>>> On Fri, Jul 30, 2021 at 5:24 AM Pritpal Singh < >>>>> psi...@watermarkinsights.com> wrote: >>>>> >>>>>> If we use the document.domain='example.com' on the pages of our site >>>>>> under same domain, will the opening in iframe will be excluded from this >>>>>> impact? >>>>>> >>>>>> On Thursday, July 29, 2021 at 11:39:18 PM UTC+5:30 Manuel Torres >>>>>> wrote: >>>>>> >>>>>>> Thanks for the suggestion but it’s not the output what worries me >>>>>>> but the input instead. When teaching JavaScript to a 10 year old using >>>>>>> prompts was key for many exercises. At least there should be a setting >>>>>>> to >>>>>>> momentarily disable this behavior. >>>>>>> >>>>>>> On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez < >>>>>>> carl...@google.com> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> For simple output when teaching, I'd recommend switching to >>>>>>> console.log, which would work in this case, and is more well suited for >>>>>>> that usecase. >>>>>>> >>>>>>> Temporarily, sites such as codepen can enroll in the trial to >>>>>>> maintain this functionality. >>>>>>> >>>>>>> On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres <torres...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> We use sites such as codepen.io to deliver JavaScript training to >>>>>>>> many kids, since this update we can't do simple JavaScript prompts and >>>>>>>> alerts from codepen.io and many of our training material is now >>>>>>>> useless. >>>>>>>> >>>>>>>> Manuel Torres >>>>>>>> >>>>>>>> El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, >>>>>>>> carl...@google.com escribió: >>>>>>>> >>>>>>>>> Affected sites can use the origin trial to temporarily opt-out of >>>>>>>>> this change (additionally, in enterprise settings, an enterprise >>>>>>>>> policy >>>>>>>>> <https://chromeenterprise.google/policies/#SuppressDifferentOriginSubframeDialogs> >>>>>>>>> >>>>>>>>> can be used to opt-out). As a permanent solution though, sites will >>>>>>>>> need to >>>>>>>>> stop relying on alert, confirm, and prompt, and will instead need to >>>>>>>>> implement similar functionality directly in the site. >>>>>>>>> >>>>>>>>> On Wed, Jul 28, 2021 at 12:06 AM Dmitry Liamtsev < >>>>>>>>> lyam...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> This is very bad news for me. My corporative soft modules >>>>>>>>>> deployed on many ports and integrates with iframes... >>>>>>>>>> вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark: >>>>>>>>>> >>>>>>>>>>> Could you cancel the cross sub-domain block? >>>>>>>>>>> 在2021年7月13日星期二 UTC+8 上午1:06:21<carl...@google.com> 写道: >>>>>>>>>>> >>>>>>>>>>>> M92 will indeed enable the blocking of JS dialogs usage on >>>>>>>>>>>> different origin subframes by default on Stable. You can use the >>>>>>>>>>>> deprecation trial to temporarily bypass the block. >>>>>>>>>>>> >>>>>>>>>>>> -Carlos >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Jul 12, 2021 at 5:14 AM Liang Stanley < >>>>>>>>>>>> kaika...@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> I've found M92 beta has enable this feature. Does M92 >>>>>>>>>>>>> stable enable it by default? >>>>>>>>>>>>> I mean, cannot use alert(), confirm(). >>>>>>>>>>>>> >>>>>>>>>>>>> - Stanley >>>>>>>>>>>>> carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] 的信中寫道: >>>>>>>>>>>>> >>>>>>>>>>>>>> The plan is to keep the trial in until M96 >>>>>>>>>>>>>> >>>>>>>>>>>>>> -Carlos >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 8:46 AM Chris Harrelson < >>>>>>>>>>>>>> chri...@chromium.org> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> How long do you intend to run the deprecation trial? There >>>>>>>>>>>>>>> should be a deadline in order to make clear to developers they >>>>>>>>>>>>>>> have a >>>>>>>>>>>>>>> limited time to fix their content. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Thu, Jun 10, 2021 at 8:36 PM Yoav Weiss < >>>>>>>>>>>>>>> yoav...@chromium.org> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> LGTM1 - a deprecation trial seems like a good way to >>>>>>>>>>>>>>>> (temporarily) resolve the issues we've run into when trying to >>>>>>>>>>>>>>>> remove this, >>>>>>>>>>>>>>>> and give developers more time to move away from current usage. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 1:57 AM 'Carlos Joan Rafael Ibarra >>>>>>>>>>>>>>>> Lopez' via blink-dev <blin...@chromium.org> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Contact emails carl...@chromium.org, mea...@chromium.org >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Explainer None >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Specification >>>>>>>>>>>>>>>>> https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Summary >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Chrome allows iframes to trigger Javascript dialogs, it >>>>>>>>>>>>>>>>> shows “<URL> says ...” when the iframe is the same origin as >>>>>>>>>>>>>>>>> the top frame, >>>>>>>>>>>>>>>>> and “An embedded page on this page says...” when the iframe >>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>> cross-origin. The current UX is confusing, and has previously >>>>>>>>>>>>>>>>> led to spoofs >>>>>>>>>>>>>>>>> where sites pretend the message comes from Chrome or a >>>>>>>>>>>>>>>>> different website. >>>>>>>>>>>>>>>>> Removing support for cross origin iframes’ ability to trigger >>>>>>>>>>>>>>>>> the UI will >>>>>>>>>>>>>>>>> prevent this kind of spoofing, and unblock further UI >>>>>>>>>>>>>>>>> simplifications. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Blink component Blink>WindowDialog >>>>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> TAG review status Pending >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Risks >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> In total, around 0.009% of page loads would be affected by >>>>>>>>>>>>>>>>> the removal. We believe that core functionality will not be >>>>>>>>>>>>>>>>> severely >>>>>>>>>>>>>>>>> degraded, since the ability for users to disable JS prompts >>>>>>>>>>>>>>>>> means sites >>>>>>>>>>>>>>>>> already can’t rely on JS dialogs to always be displayed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Gecko: Positive ( >>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Firefox has >>>>>>>>>>>>>>>>> already implemented this behind a flag, and was supportive of >>>>>>>>>>>>>>>>> the spec >>>>>>>>>>>>>>>>> change. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> WebKit: Positive ( >>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Safari has >>>>>>>>>>>>>>>>> not implemented, but they were supportive of the spec change. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Web developers: No signals >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Security >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Expected to be security positive by reducing spoofing >>>>>>>>>>>>>>>>> surfaces. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Goals for experimentation >>>>>>>>>>>>>>>>> Origin-trial based opt out was suggested in intent to >>>>>>>>>>>>>>>>> remove to diminish breakage risks. See >>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> for the relevant discusison. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Reason this experiment is being extended >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Ongoing technical constraints >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android >>>>>>>>>>>>>>>>> WebView)? >>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>>>>>> ? Yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Flag name SuppressDifferentOriginSubframeJSDialogs >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1065085 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>>>>> https://www.chromestatus.com/feature/5148698084376576 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This intent message was generated by Chrome Platform >>>>>>>>>>>>>>>>> Status <https://www.chromestatus.com/>. >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> You received this message because you are subscribed to >>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group. >>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+...@chromium.org. >>>> >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+...@chromium.org. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/763ef715-63e1-423e-8d78-447b39472d04n%40chromium.org.