Intent to Deprecate: Remove navigator.vibrate without user gesture

313 views
Skip to first unread message

Bin Lu

unread,
Mar 28, 2017, 5:11:43 PM3/28/17
to blink-dev, Anirudh Mohan, Rick Byers, Ojan Vafai, Raymes Khoury

Contact emails

bi...@google.com, anim...@chromium.org


Spec

Public standards discussion: https://github.com/WICG/interventions/issues/47


Summary

Calls to navigator.vibrate will immediately return 'false' if the user has yet to tap on the frame or any embedded frame.


Motivation

The Vibrate API is being abused by malicious sites, which annoys users (See this reddit thread). This will extend what we have done for cross-origin iframes (ie. gating vibrate with user gesture) to all frames including top-level pages.


Interoperability and Compatibility Risk

Chrome shipped the web vibration API in 2013, and Firefox in 2012, while Safari, Edge and IE don’t support it currently. To fight vibrate abuse, Firefox made a change to vibrate in 2016 to pop up a selection (YES/NO) for users to choose allowing vibration or not on a site when a site is about to vibrate for the first time.


The metrics from Chrome show that vibrate was being used by less than 0.02% of pages in Mar 2017.  Histogram metrics show ~6% of vibrate calls in Chrome were being triggered while processing a user gesture, but it's not measuring the 'ever had a user gesture' case we are using in this change. We are changing the metrics to measure the ‘ever had a user gesture’ case. Once the new metrics are available and considered safe, we would ship this and try to standardize it in the vibration API specification.


Meanwhile, once Feature Policy is shipped, web developers would be able to disable vibrate completely with it.


Edge: No signals

Firefox: No signals

Safari: No signals

Web developers: No signals


Ongoing technical constraints

None.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes, although vibrate works only on mobile (ie., Android and Android WebView, potentially new Chrome OS).


OWP launch tracking bug

https://crbug.com/704650


Link to entry on the feature dashboard

https://www.chromestatus.com/feature/5644273861001216


Requesting approval to ship?

No.


Dimitri Glazkov

unread,
Mar 29, 2017, 11:05:01 AM3/29/17
to Bin Lu, blink-dev, Anirudh Mohan, Rick Byers, Ojan Vafai, Raymes Khoury
LGTM

Rick Byers

unread,
Apr 13, 2017, 2:27:04 PM4/13/17
to Dimitri Glazkov, Bin Lu, blink-dev, Anirudh Mohan, Ojan Vafai, Raymes Khoury
API Owners accidentally discussed this issue today ("deprecate: remove" hit our regex for "deprecate and remove" threads so we briefly thought it was missing two more LGTMs).

We believe the compat risk here is extremely low - virtually any non-abusive use case should involve the user tapping on the frame first so that the frame will have a gesture.  So we'd like to upgrade this thread to a "Deprecate and Remove" and you have LGTM3 (we now discourage "intent to deprecate").  Please choose a removal milestone and replace the "soon" warning text  with a specific milestone and date (see Deprecation::deprecationMessage for how we typically format these messages).

bi...@chromium.org

unread,
May 31, 2017, 11:08:14 AM5/31/17
to blink-dev, dgla...@chromium.org, bi...@google.com, anim...@google.com, oj...@google.com, ray...@google.com, rby...@google.com, Emily Schechter
An update as FYI.:
The removal code has landed and should be shipped in M60 (The deprecation warning message is shown in M59).
Please let me know if there is any problem. Thanks.
Reply all
Reply to author
Forward
0 new messages