Chrome allows iframes to trigger Javascript dialogs, it shows “<URL> says ...” when the iframe is the same origin as the top frame, and “An embedded page on this page says...” when the iframe is cross-origin. The current UX is confusing, and has previously led to spoofs where sites pretend the message comes from Chrome or a different website. Removing support for cross origin iframes’ ability to trigger the UI will prevent this kind of spoofing, and unblock further UI simplifications.
In total, around 0.009% of page loads would be affected by the removal. We believe that core functionality will not be severely degraded, since the ability for users to disable JS prompts means sites already can’t rely on JS dialogs to always be displayed.
Expected to be security positive by reducing spoofing surfaces.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVAr%3D9s0VtNyxq0ud2X%2B_VQeZtpEVAq2jtzaSSvuHjoMA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfU2a%3DPzJTSYg2fJko365z6Ahc4Ksk-dDd-5EEn_sfjuaw%40mail.gmail.com.
LGTM3
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9RkAsXhH5h%2Bs9tGeZ%3DqsJd%3Dy1Xn405%3DpSn7Sx8Dgfm8A%40mail.gmail.com.
We are one of the software providers effected by this and we've been conducting work to resolve it on our side.
Please forgive my ignorance but I cant seem to find any reference for M96 - is there a timeline for that ? Closest ive found is - https://www.chromestatus.com/features/schedule which states 93 is 77 days away. So we have at least that time frame to address this ?
Confidentiality and Disclaimer: This email and any attachments hereto, are intended for use by the addressee(s) named herein and may contain legally privileged material and confidential information that is exempt from disclosure by law. If you are not the intended recipient of this email, you are hereby notified that, any disclosure, tampering, copying or distribution of the content and/or any attachments hereto, is strictly prohibited and you must not read, use or take any action in reliance of the information contained herein. If you have received this email in error, please immediately notify the sender by telephoning +44(0)161-236-2910 or by emailing: admini...@quill.co.uk. In addition you must permanently delete the original email, all copies and destroy any hard copies. Please be aware that internet email is not a secure communications medium. Although we have scanned this email and any attachments for viruses, we cannot guarantee that any file is virus free. It is your responsibility to ensure emails that you receive are 100% virus free. You accept and are to observe this lack of security when emailing us. Clients of Quill are controllers of all information processed by Quill and responsible for the accuracy and integrity of that information. Quill accepts no liability for the content of this email or any attachments or hyperlinks hereto, or for the consequences of any actions taken on the basis of the information provided in this email or any attachments or hyperlinks hereto, unless otherwise advised. Quill Pinpoint Ltd (Quill), Registered in England No. 01348976
We use sites such as codepen.io to deliver JavaScript training to many kids, since this update we can't do simple JavaScript prompts and alerts from codepen.io and many of our training material is now useless.Manuel Torres
On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez <carl...@google.com> wrote:
Technically those are two different domains, even though they are likely controlled by the same party. There are ways to "join" different domains (like setting the document.domain property), or identify which second level domains have only one controller and which has more, but they are unreliable and are being phased out.
You are right that this is a common setup in enterprises and that has to be considered when discussing how possibly malicious cross-origin alerts and prompts can be prevented.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e31f66da-a48f-4aac-8185-0ae56a374753n%40chromium.org.
I'm not in that engineering team but as far as I understand, the change was done through the Finch system, which is settings your Chrome client will regularly download from Google server. That might not happen immediately which could possibly explain what you see. But maybe the team can follow up with more information.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/da7368d1-b016-3fac-5d56-f67425dd2827%40gmail.com.
Thanks everyone for the feedback so far. After talking to developers and considering the options, we have decided to postpone the launch of this deprecation while we investigate adding a feature policy, which may take some time. We will provide several months of advance notice in the future when we decide to re-enable it, and the enterprise policy and origin trial opt-outs will be available at that point.