Intent to remove: touch drag as a user gesture in cross-origin iframes (intervention)
Rick Byers
Primary eng (and PM) emails
Summary
Currently every touch event is considered a "user gesture" and so able to do sensitive operations such as spawn popups. I propose that in (for now) cross-origin iframes, the only touch event that would get a user gesture is the touchend corresponding to a tap. Details are in the intervention doc here, and discussed here.
Motivation
We've seen multiple examples of poorly written / malicious ads which trigger navigation for touch scrolls (either on touchstart or all touchend events). If a 'wheel' event can't open a pop-up, then really touch scrolling shouldn't either.
Compatibility Risk
AFAIK Chrome has permitted this since touch support was first added.
Mobile Safari already (silently) suppresses pop-ups on all touch events except for the touchend associated with a tap, so the risk there should be low. There is more risk around features that require a user gesture which aren't supported by Mobile Safari, such as fullscreen. It's not unreasonable, for example, for a site to have a swipable toggle switch for enabling fullscreen mode which could break (although I've never seen such an example myself). To mitigate that risk I propose applying this intervention ONLY to touches targeted at cross-origin iframes.
Alternative implementation suggestion for web developers
The UX for sensitive operations should be designed to require a tap gesture.
Usage information from UseCounter
Don't know for sure yet, so this is just about deprecating and measuring at the moment. I'd like to extend the UserGestureIndicator infrastructure to be able to (mostly) track usage, and then use that to add two new metrics:
- TouchDragUserGestureUsed: a sequence of touch events (other than a touchend for a tap) generated a UserGestureIndicator which got used for some purpose.
- TouchDragUserGestureUsedCrossOrigin: like the above, but the touch was also targeted at a cross-origin iframe. I'd like to report a deprecation warning for this, saying we plan to remove support in M52.
OWP launch tracking bug
Entry on the feature dashboard
https://www.chromestatus.com/features/5649871251963904
Requesting approval to remove too?
Not yet, plan to remove in M52.
Jochen Eisinger
Dimitri Glazkov
Chris Harrelson
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Rick Byers
- TouchDragUserGestureUsedCrossOrigin: like the above, but the touch was also targeted at a cross-origin iframe. I'd like to report a deprecation warning for this, saying we plan to remove support in M52.
0.06% of page views. This seems consistent with the anecdotal reports of occasional pop-ups when scrolling (due to bad ads). Of course it's possible there are some legitimate use cases mixed in here too, but it's rare enough that I think the benefit clearly outweighs the risk.