What is the latest status of this? Ideally we would like more information on when this deprecation will take place so that we can strategize on a longer term solution vs a short term solution depending on the date.
On Friday, August 20, 2021 at 12:16:59 PM UTC-7 carl...@chromium.org wrote: > Re: Stilll seeing the breakage, this was indeed disabled via Chrome > Variations, so if something is interfering with variations (like an > enterprise policy), that could be the reason you still see this. This was > also disabled in code starting in 92.0.4515.146. > > Re: A message in DevTools, we are planning to add a note in DevTools about > this API being deprecated. > > Re: Testing while this is disabled by default, you can do so by running > chrome with > the --enable-features="SuppressDifferentOriginSubframeJSDialogs" command > line flag > > -Carlos > > On Fri, Aug 20, 2021 at 12:11 AM Pritpal Singh < > psi...@watermarkinsights.com> wrote: > >> How can we re-enable this deprecation on latest version of chrome, we >> need it to test the alternatives. Please guide. >> >> On Friday, August 20, 2021 at 12:05:24 PM UTC+5:30 Yang Guo wrote: >> >>> Is there plans for a soft deprecation through DevTools? >>> >>> Instead of removing right away, you could raise issues in DevTools when >>> these APIs are used to warn developers of upcoming deprecation. >>> >>> On Thursday, August 19, 2021 at 8:36:16 PM UTC+2 wande...@chromium.org >>> wrote: >>> >>>> Is the tested chrome browser managed using enterprise policies? It's >>>> possible an enterprise policy could be interfering with the finch fill >>>> switch. >>>> >>>> On Thu, Aug 19, 2021 at 2:31 PM Daniel Bratell <brat...@gmail.com> >>>> wrote: >>>> >>>>> I'm not in that engineering team but as far as I understand, the >>>>> change was done through the Finch system, which is settings your Chrome >>>>> client will regularly download from Google server. That might not happen >>>>> immediately which could possibly explain what you see. But maybe the team >>>>> can follow up with more information. >>>>> >>>>> /Daniel >>>>> On 2021-08-19 16:33, Pierce McGeough wrote: >>>>> >>>>> What is the current state of play with this? >>>>> >>>>> I thought *92.0.4515.157* was the most version of Chrome where the >>>>> issue was reverted. I downloaded *92.0.4515.107 *with it looking like >>>>> it was the most recent version to still have the blocker in place. >>>>> I also have 91.0.4472.144 on another machine. >>>>> >>>>> I tested no attribute, "sandbox", "sandbox='allow-scripts'" and >>>>> "sandbox='allow-scripts allow-modals''. I tested against running a >>>>> script, >>>>> alert, confirm, print and prompt. All versions gave the same results. >>>>> >>>>> On Thursday, August 5, 2021 at 11:02:46 AM UTC+1 Daniel Bratell wrote: >>>>> >>>>>> Technically those are two different domains, even though they are >>>>>> likely controlled by the same party. There are ways to "join" different >>>>>> domains (like setting the document.domain >>>>>> <https://developer.mozilla.org/en-US/docs/Web/API/Document/domain> >>>>>> property), or identify which second level domains have only one >>>>>> controller <https://wiki.mozilla.org/Public_Suffix_List> and which >>>>>> has more, but they are unreliable and are being phased out >>>>>> <https://github.com/mikewest/deprecating-document-domain/>. >>>>>> >>>>>> You are right that this is a common setup in enterprises and that has >>>>>> to be considered when discussing how possibly malicious cross-origin >>>>>> alerts >>>>>> and prompts can be prevented. >>>>>> >>>>>> /Daniel >>>>>> On 2021-08-04 15:38, Hugo Leitao wrote: >>>>>> >>>>>> Why do you block for the same domain? Sample: >>>>>> https://123.mydomain.com and subframe https://abc.mydomain.com >>>>>> Too many corporate applications will be affected. Regards >>>>>> Em sexta-feira, 30 de julho de 2021 às 21:06:14 UTC-3, >>>>>> carl...@chromium.org escreveu: >>>>>> >>>>>>> We decided to disable this deprecation temporarily (for 2 weeks, >>>>>>> until August 15, 2021) to provide more time for websites to address the >>>>>>> issues caused by this change, or enroll affected origins in the origin >>>>>>> trial. >>>>>>> If neither the origin trial or the enterprise policy address your >>>>>>> concerns, please comment in the implementation bug at >>>>>>> crbug.com/1065085. >>>>>>> >>>>>>> The configuration to disable the deprecation should reach most >>>>>>> Chrome instances in a few hours, but in some cases might take longer. >>>>>>> Chrome needs to be restarted for the change to take effect. >>>>>>> >>>>>>> Thanks, >>>>>>> -Carlos >>>>>>> >>>>>>> On Fri, Jul 30, 2021 at 5:24 AM Pritpal Singh < >>>>>>> psi...@watermarkinsights.com> wrote: >>>>>>> >>>>>>>> If we use the document.domain='example.com' on the pages of our >>>>>>>> site under same domain, will the opening in iframe will be excluded >>>>>>>> from >>>>>>>> this impact? >>>>>>>> >>>>>>>> On Thursday, July 29, 2021 at 11:39:18 PM UTC+5:30 Manuel Torres >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Thanks for the suggestion but it’s not the output what worries me >>>>>>>>> but the input instead. When teaching JavaScript to a 10 year old >>>>>>>>> using >>>>>>>>> prompts was key for many exercises. At least there should be a >>>>>>>>> setting to >>>>>>>>> momentarily disable this behavior. >>>>>>>>> >>>>>>>>> On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez < >>>>>>>>> carl...@google.com> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> For simple output when teaching, I'd recommend switching to >>>>>>>>> console.log, which would work in this case, and is more well suited >>>>>>>>> for >>>>>>>>> that usecase. >>>>>>>>> >>>>>>>>> Temporarily, sites such as codepen can enroll in the trial to >>>>>>>>> maintain this functionality. >>>>>>>>> >>>>>>>>> On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres <torres...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> We use sites such as codepen.io to deliver JavaScript training >>>>>>>>>> to many kids, since this update we can't do simple JavaScript >>>>>>>>>> prompts and >>>>>>>>>> alerts from codepen.io and many of our training material is now >>>>>>>>>> useless. >>>>>>>>>> >>>>>>>>>> Manuel Torres >>>>>>>>>> >>>>>>>>>> El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, >>>>>>>>>> carl...@google.com escribió: >>>>>>>>>> >>>>>>>>>>> Affected sites can use the origin trial to temporarily opt-out >>>>>>>>>>> of this change (additionally, in enterprise settings, an enterprise >>>>>>>>>>> policy >>>>>>>>>>> <https://chromeenterprise.google/policies/#SuppressDifferentOriginSubframeDialogs> >>>>>>>>>>> >>>>>>>>>>> can be used to opt-out). As a permanent solution though, sites will >>>>>>>>>>> need to >>>>>>>>>>> stop relying on alert, confirm, and prompt, and will instead need >>>>>>>>>>> to >>>>>>>>>>> implement similar functionality directly in the site. >>>>>>>>>>> >>>>>>>>>>> On Wed, Jul 28, 2021 at 12:06 AM Dmitry Liamtsev < >>>>>>>>>>> lyam...@gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> This is very bad news for me. My corporative soft modules >>>>>>>>>>>> deployed on many ports and integrates with iframes... >>>>>>>>>>>> вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark: >>>>>>>>>>>> >>>>>>>>>>>>> Could you cancel the cross sub-domain block? >>>>>>>>>>>>> 在2021年7月13日星期二 UTC+8 上午1:06:21<carl...@google.com> 写道: >>>>>>>>>>>>> >>>>>>>>>>>>>> M92 will indeed enable the blocking of JS dialogs usage on >>>>>>>>>>>>>> different origin subframes by default on Stable. You can use the >>>>>>>>>>>>>> deprecation trial to temporarily bypass the block. >>>>>>>>>>>>>> >>>>>>>>>>>>>> -Carlos >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Jul 12, 2021 at 5:14 AM Liang Stanley < >>>>>>>>>>>>>> kaika...@gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> I've found M92 beta has enable this feature. Does M92 >>>>>>>>>>>>>>> stable enable it by default? >>>>>>>>>>>>>>> I mean, cannot use alert(), confirm(). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Stanley >>>>>>>>>>>>>>> carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] 的信中寫道: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The plan is to keep the trial in until M96 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -Carlos >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 8:46 AM Chris Harrelson < >>>>>>>>>>>>>>>> chri...@chromium.org> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> How long do you intend to run the deprecation trial? There >>>>>>>>>>>>>>>>> should be a deadline in order to make clear to developers >>>>>>>>>>>>>>>>> they have a >>>>>>>>>>>>>>>>> limited time to fix their content. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Thu, Jun 10, 2021 at 8:36 PM Yoav Weiss < >>>>>>>>>>>>>>>>> yoav...@chromium.org> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> LGTM1 - a deprecation trial seems like a good way to >>>>>>>>>>>>>>>>>> (temporarily) resolve the issues we've run into when trying >>>>>>>>>>>>>>>>>> to remove this, >>>>>>>>>>>>>>>>>> and give developers more time to move away from current >>>>>>>>>>>>>>>>>> usage. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Fri, Jun 11, 2021 at 1:57 AM 'Carlos Joan Rafael >>>>>>>>>>>>>>>>>> Ibarra Lopez' via blink-dev <blin...@chromium.org> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Contact emails carl...@chromium.org, mea...@chromium.org >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Explainer None >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Specification >>>>>>>>>>>>>>>>>>> https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Summary >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Chrome allows iframes to trigger Javascript dialogs, it >>>>>>>>>>>>>>>>>>> shows “<URL> says ...” when the iframe is the same origin >>>>>>>>>>>>>>>>>>> as the top frame, >>>>>>>>>>>>>>>>>>> and “An embedded page on this page says...” when the iframe >>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>> cross-origin. The current UX is confusing, and has >>>>>>>>>>>>>>>>>>> previously led to spoofs >>>>>>>>>>>>>>>>>>> where sites pretend the message comes from Chrome or a >>>>>>>>>>>>>>>>>>> different website. >>>>>>>>>>>>>>>>>>> Removing support for cross origin iframes’ ability to >>>>>>>>>>>>>>>>>>> trigger the UI will >>>>>>>>>>>>>>>>>>> prevent this kind of spoofing, and unblock further UI >>>>>>>>>>>>>>>>>>> simplifications. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Blink component Blink>WindowDialog >>>>>>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> TAG review status Pending >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Risks >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> In total, around 0.009% of page loads would be affected >>>>>>>>>>>>>>>>>>> by the removal. We believe that core functionality will not >>>>>>>>>>>>>>>>>>> be severely >>>>>>>>>>>>>>>>>>> degraded, since the ability for users to disable JS prompts >>>>>>>>>>>>>>>>>>> means sites >>>>>>>>>>>>>>>>>>> already can’t rely on JS dialogs to always be displayed. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Gecko: Positive ( >>>>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Firefox has >>>>>>>>>>>>>>>>>>> already implemented this behind a flag, and was supportive >>>>>>>>>>>>>>>>>>> of the spec >>>>>>>>>>>>>>>>>>> change. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> WebKit: Positive ( >>>>>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/5407) Safari has >>>>>>>>>>>>>>>>>>> not implemented, but they were supportive of the spec >>>>>>>>>>>>>>>>>>> change. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Web developers: No signals >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Security >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Expected to be security positive by reducing spoofing >>>>>>>>>>>>>>>>>>> surfaces. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Goals for experimentation >>>>>>>>>>>>>>>>>>> Origin-trial based opt out was suggested in intent to >>>>>>>>>>>>>>>>>>> remove to diminish breakage risks. See >>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> for the relevant discusison. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Reason this experiment is being extended >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Ongoing technical constraints >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Will this feature be supported on all six Blink >>>>>>>>>>>>>>>>>>> platforms (Windows, Mac, Linux, Chrome OS, Android, and >>>>>>>>>>>>>>>>>>> Android WebView)? >>>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>>>>>>>> ? Yes >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Flag name SuppressDifferentOriginSubframeJSDialogs >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1065085 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>>>>>>> https://www.chromestatus.com/feature/5148698084376576 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> This intent message was generated by Chrome Platform >>>>>>>>>>>>>>>>>>> Status <https://www.chromestatus.com/>. >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> You received this message because you are subscribed to >>>>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group. >>>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> You received this message because you are subscribed to >>>>>>>>>>>>>>>>>> the Google Groups "blink-dev" group. >>>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>>>>> from it, send an email to blink-dev+...@chromium.org. >>>>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to blink-dev+...@chromium.org. >>>>>> >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org >>>>>> >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+...@chromium.org. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com >>>>> >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3d355ef3-11d2-4205-a85c-c77cced97e37n%40chromium.org.
