Request for Deprecation Trial: Remove alert(), confirm(), and prompt for cross origin iframes

2,790 views
Skip to first unread message

Carlos Joan Rafael Ibarra Lopez

unread,
Jun 10, 2021, 7:57:08 PM6/10/21
to blink-dev

Contact emails

carl...@chromium.orgmea...@chromium.org

Explainer

None

Specification

https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#cannot-show-simple-dialogs

Summary

Chrome allows iframes to trigger Javascript dialogs, it shows “<URL> says ...” when the iframe is the same origin as the top frame, and “An embedded page on this page says...” when the iframe is cross-origin. The current UX is confusing, and has previously led to spoofs where sites pretend the message comes from Chrome or a different website. Removing support for cross origin iframes’ ability to trigger the UI will prevent this kind of spoofing, and unblock further UI simplifications.



Blink component

Blink>WindowDialog

TAG review



TAG review status

Pending

Risks



Interoperability and Compatibility

In total, around 0.009% of page loads would be affected by the removal. We believe that core functionality will not be severely degraded, since the ability for users to disable JS prompts means sites already can’t rely on JS dialogs to always be displayed.



Gecko: Positive (https://github.com/whatwg/html/issues/5407) Firefox has already implemented this behind a flag, and was supportive of the spec change.

WebKit: Positive (https://github.com/whatwg/html/issues/5407) Safari has not implemented, but they were supportive of the spec change.

Web developers: No signals

Security

Expected to be security positive by reducing spoofing surfaces.



Goals for experimentation

Origin-trial based opt out was suggested in intent to remove to diminish breakage risks. See https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ for the relevant discusison.



Reason this experiment is being extended



Ongoing technical constraints



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Flag name

SuppressDifferentOriginSubframeJSDialogs

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1065085

Link to entry on the Chrome Platform Status

https://www.chromestatus.com/feature/5148698084376576

This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Jun 10, 2021, 11:36:18 PM6/10/21
to Carlos Joan Rafael Ibarra Lopez, blink-dev
LGTM1 - a deprecation trial seems like a good way to (temporarily) resolve the issues we've run into when trying to remove this, and give developers more time to move away from current usage.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfUshCk-RRpxeOYZvLsgA%2BNe%2BU%2Btn1%2B3khY6-q-utk2Ahg%40mail.gmail.com.

Chris Harrelson

unread,
Jun 11, 2021, 11:46:42 AM6/11/21
to Yoav Weiss, Carlos Joan Rafael Ibarra Lopez, blink-dev
How long do you intend to run the deprecation trial? There should be a deadline in order to make clear to developers they have a limited time to fix their content.

Carlos Joan Rafael Ibarra Lopez

unread,
Jun 11, 2021, 11:51:57 AM6/11/21
to Chris Harrelson, Yoav Weiss, blink-dev
The plan is to keep the trial in until M96

-Carlos

Chris Harrelson

unread,
Jun 11, 2021, 12:14:12 PM6/11/21
to Carlos Joan Rafael Ibarra Lopez, Yoav Weiss, blink-dev

Daniel Bratell

unread,
Jun 11, 2021, 12:47:19 PM6/11/21
to Chris Harrelson, Carlos Joan Rafael Ibarra Lopez, Yoav Weiss, blink-dev

Yoav Weiss

unread,
Jun 15, 2021, 5:05:10 AM6/15/21
to Chris Shingler, blink-dev, Daniel Bratell, Chris Harrelson, carl...@google.com
Looking at https://chromiumdash.appspot.com/schedule, it says that the stable release data for M96 is November 16, 2021.

On Tue, Jun 15, 2021 at 11:01 AM Chris Shingler <c.shi...@quill.co.uk> wrote:
We are one of the software providers effected by this and we've been conducting work to resolve it on our side. 

Please forgive my ignorance but I cant seem to find any reference for M96 - is there a timeline for that ? Closest ive found is - https://www.chromestatus.com/features/schedule which states 93 is 77 days away. So we have at least that time frame to address this ? 
Confidentiality and Disclaimer: This email and any attachments hereto, are intended for use by the addressee(s) named herein and may contain legally privileged material and confidential information that is exempt from disclosure by law. If you are not the intended recipient of this email, you are hereby notified that, any disclosure, tampering, copying or distribution of the content and/or any attachments hereto, is strictly prohibited and you must not read, use or take any action in reliance of the information contained herein. If you have received this email in error, please immediately notify the sender by telephoning +44(0)161-236-2910 or by emailing: admini...@quill.co.uk. In addition you must permanently delete the original email, all copies and destroy any hard copies. Please be aware that internet email is not a secure communications medium. Although we have scanned this email and any attachments for viruses, we cannot guarantee that any file is virus free. It is your responsibility to ensure emails that you receive are 100% virus free. You accept and are to observe this lack of security when emailing us. Clients of Quill are controllers of all information processed by Quill and responsible for the accuracy and integrity of that information. Quill accepts no liability for the content of this email or any attachments or hyperlinks hereto, or for the consequences of any actions taken on the basis of the information provided in this email or any attachments or hyperlinks hereto, unless otherwise advised. Quill Pinpoint Ltd (Quill), Registered in England No. 01348976

Chris Shingler

unread,
Jun 15, 2021, 11:19:03 AM6/15/21
to blink-dev, Daniel Bratell, yoav...@chromium.org, blink-dev, Chris Harrelson, carl...@google.com
We are one of the software providers effected by this and we've been conducting work to resolve it on our side. 

Please forgive my ignorance but I cant seem to find any reference for M96 - is there a timeline for that ? Closest ive found is - https://www.chromestatus.com/features/schedule which states 93 is 77 days away. So we have at least that time frame to address this ? 

On Friday, 11 June 2021 at 17:47:19 UTC+1 Daniel Bratell wrote:

Liang Stanley

unread,
Jul 12, 2021, 11:05:54 AM7/12/21
to blink-dev, carl...@google.com, yoav...@chromium.org, blink-dev, Chris Harrelson
I've found M92 beta has enable this feature. Does M92 stable  enable it by default?
I mean, cannot use alert(), confirm().

- Stanley
carl...@google.com 在 2021年6月11日 星期五下午11:51:57 [UTC+8] 的信中寫道:

Carlos Joan Rafael Ibarra Lopez

unread,
Jul 12, 2021, 1:06:21 PM7/12/21
to Liang Stanley, blink-dev, yoav...@chromium.org, Chris Harrelson
M92 will indeed enable the blocking of JS dialogs usage on different origin subframes by default on Stable. You can use the deprecation trial to temporarily bypass the block.

-Carlos

wong spark

unread,
Jul 27, 2021, 12:00:03 PM7/27/21
to blink-dev, carl...@google.com, blink-dev, yoav...@chromium.org, Chris Harrelson, Liang Stanley
Could you cancel the cross sub-domain block?

Dmitry Liamtsev

unread,
Jul 28, 2021, 5:07:43 AM7/28/21
to blink-dev, wong spark, carl...@google.com, blink-dev, yoav...@chromium.org, Chris Harrelson, Liang Stanley
This is very bad news for me. My corporative soft modules deployed on many ports and integrates with iframes...
вторник, 27 июля 2021 г. в 19:00:03 UTC+3, wong spark:

Shi Yan

unread,
Jul 28, 2021, 5:08:24 AM7/28/21
to blink-dev, wong spark, carl...@google.com, blink-dev, yoav...@chromium.org, Chris Harrelson, Liang Stanley
this broke our chrome dev-tool add-on :(

Carlos Joan Rafael Ibarra Lopez

unread,
Jul 28, 2021, 4:44:38 PM7/28/21
to Dmitry Liamtsev, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley
Affected sites can use the origin trial to temporarily opt-out of this change (additionally, in enterprise settings, an enterprise policy can be used to opt-out). As a permanent solution though, sites will need to stop relying on alert, confirm, and prompt, and will instead need to implement similar functionality directly in the site.

Carlos Joan Rafael Ibarra Lopez

unread,
Jul 28, 2021, 6:53:50 PM7/28/21
to Manuel Torres, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev
For simple output when teaching, I'd recommend switching to console.log, which would work in this case, and is more well suited for that usecase.

Temporarily, sites such as codepen can enroll in the trial to maintain this functionality.

On Wed, Jul 28, 2021 at 3:40 PM Manuel Torres <torres...@gmail.com> wrote:
We use sites such as codepen.io to deliver JavaScript training to many kids, since this update we can't do simple JavaScript prompts and alerts from codepen.io and many of our training material is now useless.

Manuel Torres

Manuel Torres

unread,
Jul 28, 2021, 6:55:17 PM7/28/21
to blink-dev, carl...@google.com, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev
We use sites such as codepen.io to deliver JavaScript training to many kids, since this update we can't do simple JavaScript prompts and alerts from codepen.io and many of our training material is now useless.

Manuel Torres

El miércoles, 28 de julio de 2021 a las 15:44:38 UTC-5, carl...@google.com escribió:

James Haggerty

unread,
Jul 29, 2021, 2:06:50 PM7/29/21
to blink-dev, Manuel Torres, carl...@google.com, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev
We're in a similar boat - we run a coding platform (groklearning.com), and some of our courses teach intro JS. alert/prompt are useful things when you're doing some basics, and we don't want to run arbitrary student JS in the same domain.

Is there any alternative to rewriting these courses?

Guzmán García Gómez

unread,
Jul 29, 2021, 2:07:42 PM7/29/21
to blink-dev, carl...@google.com
I have some external aplication of the same  *.domain.com , and our prod environment stopped working. Is there any way to disable this temporarly while we fix te issue? 

William Jens

unread,
Jul 29, 2021, 2:08:41 PM7/29/21
to blink-dev, carl...@google.com
I don't think the following rationale is valid.

"In total, around 0.009% of page loads would be affected by the removal. We believe that core functionality will not be severely degraded, since the ability for users to disable JS prompts means sites already can’t rely on JS dialogs to always be displayed." (from https://chromestatus.com/feature/5148698084376576#details)

I'd venture that virtually no one is opting to remove JS prompts. I didn't even know it was an option. However, there are many sites that rely on JS alert() and confirm() and all you've done is broken any of them that are framed in. I feel that alert() and confirm() are so fundamental that they should still be supported under frames. What is 0.009% in terms of number of sites affected?

Frankly if the number is so low, why do you care about a clumsy JS UI interaction? Wouldn't it only affect those using JS confirm() and alert() within a frame?

Manuel Torres

unread,
Jul 29, 2021, 2:09:18 PM7/29/21
to Carlos Joan Rafael Ibarra Lopez, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev
Thanks for the suggestion but it’s not the output what worries me but the input instead. When teaching JavaScript to a 10 year old using prompts was key for many exercises. At least there should be a setting to momentarily disable this behavior.

On 28 Jul 2021, at 17:53, Carlos Joan Rafael Ibarra Lopez <carl...@google.com> wrote:



Guzmán García Gómez

unread,
Jul 30, 2021, 12:43:28 PM7/30/21
to blink-dev, Manuel Torres, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, carl...@google.com
Hi Everyone.
Is there any way to supress this feature while we fix the problem?

Pritpal Singh

unread,
Jul 30, 2021, 12:43:49 PM7/30/21
to blink-dev, Manuel Torres, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, carl...@google.com
If we use the document.domain='example.com' on the pages of our site under same domain, will the opening in iframe will be excluded from this impact?

James Haggerty

unread,
Jul 30, 2021, 12:44:01 PM7/30/21
to blink-dev, James Haggerty, Manuel Torres, carl...@google.com, blink-dev, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev
Just to add to this, why isn't the 'allow-modals' option on the iframe enough to prevent issues here? This would give control back to the page author, and surely if people are running completely untrusted iframe code they would be paying close attention to what they enable.

Carlos IL

unread,
Jul 30, 2021, 8:06:14 PM7/30/21
to Pritpal Singh, blink-dev, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev
We decided to disable this deprecation temporarily (for 2 weeks, until August 15, 2021) to provide more time for websites to address the issues caused by this change, or enroll affected origins in the origin trial.
If neither the origin trial or the enterprise policy address your concerns, please comment in the implementation bug at crbug.com/1065085.

The configuration to disable the deprecation should reach most Chrome instances in a few hours, but in some cases might take longer. Chrome needs to be restarted for the change to take effect.

Thanks,
-Carlos

Social Media Mall

unread,
Aug 3, 2021, 11:37:22 AM8/3/21
to blink-dev, carl...@chromium.org, blink-dev, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com
I am running wordpress and woocommerce backend in iframes for my customers to enable them to have an interface that only gives them access to certain backend pages. This change really affects my ability to serve my clients. I hope you will keep them enabled or at least give an option to turn them back on via the Chrome settings.

Op zaterdag 31 juli 2021 om 02:06:14 UTC+2 schreef carl...@chromium.org:

Matthew Dean

unread,
Aug 4, 2021, 12:34:33 PM8/4/21
to blink-dev, Social Media Mall, carl...@chromium.org, blink-dev, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com

IMO this is a poorly-thought-out solution amongst several that would mitigate the original problem. alert() and confirm() are lynchpins of the web and can't / shouldn't be removed.

Hugo Leitao

unread,
Aug 4, 2021, 12:34:54 PM8/4/21
to blink-dev, carl...@chromium.org, blink-dev, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com
Why do you block for the same domain? Sample: https://123.mydomain.com and subframe https://abc.mydomain.com
Too many corporate applications will be affected. Regards

Carlos IL

unread,
Aug 4, 2021, 5:04:44 PM8/4/21
to Matthew Dean, blink-dev, Social Media Mall, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com
Thanks everyone for the feedback. We have decided to postpone this deprecation until at least January 2022 to give us time to do more outreach and propose alternatives to sites that rely on this behavior, and to give website owners more time to explore alternatives.

We will provide an update once we have a set milestone/date to re-enable the deprecation.

Daniel Bratell

unread,
Aug 5, 2021, 6:02:46 AM8/5/21
to Hugo Leitao, blink-dev, carl...@chromium.org, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com

Technically those are two different domains, even though they are likely controlled by the same party. There are ways to "join" different domains (like setting the document.domain property), or identify which second level domains have only one controller and which has more, but they are unreliable and are being phased out.

You are right that this is a common setup in enterprises and that has to be considered when discussing how possibly malicious cross-origin alerts and prompts can be prevented.

/Daniel

Pierce McGeough

unread,
Aug 19, 2021, 11:54:39 AM8/19/21
to blink-dev, Daniel Bratell, carl...@chromium.org, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com, Hugo Leitao
What is the current state of play with this? 

I thought 92.0.4515.157 was the most version of Chrome where the issue was reverted. I downloaded 92.0.4515.107 with it looking like it was the most recent version to still have the blocker in place.
I also have 91.0.4472.144 on another machine. 

I tested no attribute, "sandbox", "sandbox='allow-scripts'" and "sandbox='allow-scripts allow-modals''. I tested against running a script, alert, confirm, print and prompt. All versions gave the same results.

Daniel Bratell

unread,
Aug 19, 2021, 2:31:31 PM8/19/21
to Pierce McGeough, blink-dev, carl...@chromium.org, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com, Hugo Leitao

I'm not in that engineering team but as far as I understand, the change was done through the Finch system, which is settings your Chrome client will regularly download from Google server. That might not happen immediately which could possibly explain what you see. But maybe the team can follow up with more information.

/Daniel

Ben Kelly

unread,
Aug 19, 2021, 2:36:16 PM8/19/21
to Daniel Bratell, Pierce McGeough, blink-dev, carl...@chromium.org, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com, Hugo Leitao
Is the tested chrome browser managed using enterprise policies?  It's possible an enterprise policy could be interfering with the finch fill switch.

Yang Guo

unread,
Aug 20, 2021, 2:35:24 AM8/20/21
to blink-dev, wande...@chromium.org, Pierce McGeough, blink-dev, carl...@chromium.org, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com, Hugo Leitao, Daniel Bratell
Is there plans for a soft deprecation through DevTools?

Instead of removing right away,  you could raise issues in DevTools when these APIs are used to warn developers of upcoming deprecation.

Pritpal Singh

unread,
Aug 20, 2021, 1:43:20 PM8/20/21
to blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, blink-dev, carl...@chromium.org, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, psi...@watermarkinsights.com, Hugo Leitao, Daniel Bratell
How can we re-enable this deprecation on latest version of chrome, we need it to test the alternatives. Please guide.

Carlos IL

unread,
Aug 20, 2021, 3:16:59 PM8/20/21
to Pritpal Singh, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell
Re: Stilll seeing the breakage, this was indeed disabled via Chrome Variations, so if something is interfering with variations (like an enterprise policy), that could be the reason you still see this. This was also disabled in code starting in 92.0.4515.146.

Re: A message in DevTools, we are planning to add a note in DevTools about this API being deprecated.

Re: Testing while this is disabled by default, you can do so by running chrome with the --enable-features="SuppressDifferentOriginSubframeJSDialogs" command line flag

-Carlos

Emmanuel Law

unread,
Sep 24, 2021, 4:24:08 PM9/24/21
to blink-dev, carl...@chromium.org, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell, Pritpal Singh
What is the latest status of this? Ideally we would like more information on when this deprecation will take place so that we can strategize on a longer term solution vs a short term solution depending on the date.

Carlos IL

unread,
Sep 27, 2021, 6:35:07 PM9/27/21
to Emmanuel Law, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell, Pritpal Singh
This change remains disabled, and will be re-enabled at the earliest in January 2022. When this is re-enabled, the enterprise policy and origin trial opt outs will remain available for at least 6 months.

-Carlos

Lewis Chan

unread,
Oct 12, 2021, 1:00:16 PM10/12/21
to blink-dev, carl...@chromium.org, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell, Pritpal Singh, Emmanuel Law
Does it mean that if I signup for the Origin Trials, I have until July 2022 to resolve this?

Carlos IL

unread,
Nov 4, 2021, 7:14:57 PM11/4/21
to Lewis Chan, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell, Pritpal Singh, Emmanuel Law

Thanks everyone for the feedback so far. After talking to developers and considering the options, we have decided to postpone the launch of this deprecation while we investigate adding a feature policy, which may take some time. We will provide several months of advance notice in the future when we decide to re-enable it, and the enterprise policy and origin trial opt-outs will be available at that point.


In the meantime, if you want to test Chrome with the behavior enabled, you can do so by running with the ‘enable_features=SuppressDifferentOriginSubframeJSDialogs’ command line flag.

Munaver Basha

unread,
Jan 18, 2022, 12:41:12 PM1/18/22
to blink-dev, carl...@chromium.org, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell, Pritpal Singh, Emmanuel Law, Lewis Chan
Please share the release date for this version. 
Thanks

Munaver Basha

unread,
Jan 18, 2022, 12:42:20 PM1/18/22
to blink-dev, carl...@chromium.org, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell, Pritpal Singh, Emmanuel Law, Lewis Chan

Please let me know the chrome version which is blocking the JS Dialogs for cross origin iframes.
and also share the release date for this version. 
Thanks
On Friday, 5 November, 2021 at 4:44:57 am UTC+5:30 carl...@chromium.org wrote:

Carlos IL

unread,
Jan 18, 2022, 7:04:32 PM1/18/22
to Munaver Basha, blink-dev, Yang Guo, wande...@chromium.org, Pierce McGeough, Manuel Torres, wong spark, yoav...@chromium.org, Chris Harrelson, Liang Stanley, Dmitry Liamtsev, Hugo Leitao, Daniel Bratell, Pritpal Singh, Emmanuel Law, Lewis Chan
As mentioned previously on the thread, we have postponed this launch, and do not currently have a planned version that would include it. We will provide advance notice once we have plans to re-enable it.
Reply all
Reply to author
Forward
0 new messages