Ready for Trial: Permission-Policy: unload

142 prikaza
Preskoči na prvu nepročitanu poruku

Fergal Daly

nepročitano,
8. sep 2022. u 04:27:068. 9. 2022.
za blink-dev, Daisuke Enomoto, Ian Clelland

Contact emails

fer...@chromium.com

Explainer

https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md

Specification

https://github.com/whatwg/html/pull/7915

Summary

This feature allows pages to disable the running of unload event handlers. The goal is to : - allow sites that have removed all unload handlers to ensure they do not accidentally add new ones - allow sites to remove unload handlers when updating the code is infeasible Unload event handlers are problematic for various reasons and prevent use of BFCache on Desktop (see https://web.dev/bfcache/#never-use-the-unload-event).



Blink component

Blink>PermissionsAPI

TAG review

https://github.com/w3ctag/design-reviews/issues/738

TAG review status

Pending

Risks



Interoperability and Compatibility

3rd-party frames that rely on unload may not work as expected when navigating away. This is solvable by the frame authors by use of alternatives to unload and is unlikely to impact users. See detailed discussion. https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md#concerns-about-giving-embedders-control-over-the-nonexecution-of-iframe-code



Gecko: Negative (https://github.com/w3c/webappsec-permissions-policy/issues/444#issuecomment-1047829132) FF objects to this similar to sync-xhr and document-domain providing a way to cause cross-origin interference with script. Explainer addresses this (https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md#concerns-about-giving-embedders-control-over-the-nonexecution-of-iframe-code) This is not a formal FF position, we will request a formal position soon.

WebKit: No signal

Web developers: Positive Private discussions with devs are positive. Sites that have made efforts to remove all unload handlers want to use this to prevent accidental returns. Also some providers of 3rd-party iframes which have content outside of their control (e.g. ad network) want to guarantee themselves to be unload-free. https://github.com/w3c/webappsec-permissions-policy/issues/444#issuecomment-1130401722 Also positive feedback about using this to deny unload as a source of security problems. https://github.com/w3c/webappsec-permissions-policy/issues/444#issuecomment-1222973324

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

none known



Goals for experimentation

- Validate that this allows sites using it to improve their BFCache hit rate



Ongoing technical constraints



Debuggability

N/A



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Flag name

chrome://flags#enable-experimental-web-platform-features

or

--enable-features=PermissionsPolicyUnload

Requires code in //chrome?

False

Tracking bug

https://crbug.com/1324111

Launch bug

https://crbug.com/1357927#c16

Estimated milestones

DevTrial on desktop107
DevTrial on Android107


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5760325231050752

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAozHLkvhEtVOkvW4iXCbMf5a84ypGjD4arZtpS%3D0Okx6BPDdQ%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Odgovori svima
Odgovori autoru
Proslijedi
0 novih poruka