Intent to Prototype: Permissions-Policy: unload

85 views
Skip to first unread message

Fergal Daly

unread,
May 13, 2022, 1:58:57 AM5/13/22
to blink-dev, bfcache-dev, Kenji Baheux, Rakina Zata Amni, Domenic Denicola

Contact emails

fer...@chromium.com, bfcache-dev


Explainer

https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md


Specification

https://github.com/whatwg/html/pull/7915


Summary

This feature allows pages to disable the running of unload event handlers. The goal is to :

- allow sites that have removed all unload handlers to ensure they do not accidentally add new ones

- allow sites to remove unload handlers when updating the code would is infeasible


Unload event handlers are problematic for various reasons and prevent use of BFCache on Desktop (see https://web.dev/bfcache/#never-use-the-unload-event).



Blink component

Blink>PermissionsAPI


Motivation

Help sites migrate off unload event handlers and thereby improve BFCache hit-rate:

- by ensuring that once removed, handlers do not creep back in

- by providing a means to disable handlers in 3rd party iframes and script that is hard to change



Initial public proposal

https://github.com/w3c/webappsec-permissions-policy/issues/444


TAG review

https://github.com/w3ctag/design-reviews/issues/738


TAG review status

Pending


Risks



Interoperability and Compatibility

3rd-party frames that rely on unload may not work as expected when navigating away. This is solvable by the frame authors by use of alternatives to unload and is unlikely to impact users. See detailed discussion.


https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md#concerns-about-giving-embedders-control-over-the-nonexecution-of-iframe-code



Gecko: Negative (https://github.com/w3c/webappsec-permissions-policy/issues/444#issuecomment-1047829132) FF objects to this (similar to sync-xhr and document-domain) because it’s providing a way to cause cross-origin interference with script. Explainer addresses this.


WebKit: No signal


Web developers: Positive

Private discussions with devs are positive. Sites that have made efforts to remove all unload handlers want to use this to prevent accidental returns. Also some providers of 3rd-party iframes which have content outside of their control (e.g. ad network) want to guarantee themselves to be unload-free.


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Debuggability

N/A



Is this feature fully tested by web-platform-tests?

No


Flag name



Requires code in //chrome?

False


Tracking bug

https://crbug.com/1324111


Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5760325231050752


This intent message was generated by Chrome Platform Status.



Reply all
Reply to author
Forward
0 new messages