Intent to remove: touch drag as a user gesture in cross-origin iframes (intervention)

82 views
Skip to first unread message

Rick Byers

unread,
May 4, 2016, 6:21:35 PM5/4/16
to blink-dev
Now that we have decent UseCounter data from beta, I'd like to upgrade the below "intent to deprecate" to an "intent to remove".  See in-line:

On Wed, Mar 16, 2016 at 5:42 PM, Rick Byers <rby...@chromium.org> wrote:

Primary eng (and PM) emails

rby...@chromium.org


Summary

Currently every touch event is considered a "user gesture" and so able to do sensitive operations such as spawn popups. I propose that in (for now) cross-origin iframes, the only touch event that would get a user gesture is the touchend corresponding to a tap. Details are in the intervention doc here, and discussed here.


Motivation

We've seen multiple examples of poorly written / malicious ads which trigger navigation for touch scrolls (either on touchstart or all touchend events). If a 'wheel' event can't open a pop-up, then really touch scrolling shouldn't either.


Compatibility Risk

AFAIK Chrome has permitted this since touch support was first added.

Mobile Safari already (silently) suppresses pop-ups on all touch events except for the touchend associated with a tap, so the risk there should be low. There is more risk around features that require a user gesture which aren't supported by Mobile Safari, such as fullscreen. It's not unreasonable, for example, for a site to have a swipable toggle switch for enabling fullscreen mode which could break (although I've never seen such an example myself). To mitigate that risk I propose applying this intervention ONLY to touches targeted at cross-origin iframes.


Alternative implementation suggestion for web developers

The UX for sensitive operations should be designed to require a tap gesture.


Usage information from UseCounter

Don't know for sure yet, so this is just about deprecating and measuring at the moment. I'd like to extend the UserGestureIndicator infrastructure to be able to (mostly) track usage, and then use that to add two new metrics:


Here's the data from the last week of M51 Android beta

  • TouchDragUserGestureUsed: a sequence of touch events (other than a touchend for a tap) generated a UserGestureIndicator which got used for some purpose.
0.32% of page views.  This is fairly high and hard for me to explain.  As planned I don't think we should try to deprecate / remove, but should re-evaluate after we see how this first stage goes. 
  • TouchDragUserGestureUsedCrossOrigin: like the above, but the touch was also targeted at a cross-origin iframe. I'd like to report a deprecation warning for this, saying we plan to remove support in M52.
0.06% of page views.  This seems consistent with the anecdotal reports of occasional pop-ups when scrolling (due to bad ads).  Of course it's possible there are some legitimate use cases mixed in here too, but it's rare enough that I think the benefit clearly outweighs the risk.  

There's some risk that the usage pattern in stable will be different.  So I'll re-check this number a week after M51 hits stable and ping this thread if it rises substantially (say to above 0.1%).

OWP launch tracking bug

https://crbug.com/582140


Entry on the feature dashboard

https://www.chromestatus.com/features/5649871251963904


Requesting approval to remove too?

Not yet, plan to remove in M52.



Jochen Eisinger

unread,
May 10, 2016, 1:08:52 PM5/10/16
to Rick Byers, blink-dev
LGTM1

Dimitri Glazkov

unread,
May 10, 2016, 1:12:06 PM5/10/16
to Jochen Eisinger, Rick Byers, blink-dev
LGTM2

Chris Harrelson

unread,
May 10, 2016, 1:57:37 PM5/10/16
to Dimitri Glazkov, Jochen Eisinger, Rick Byers, blink-dev
LGTM3

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Rick Byers

unread,
Jun 13, 2016, 9:40:44 AM6/13/16
to Chris Harrelson, Dimitri Glazkov, Jochen Eisinger, blink-dev
As promised, I re-checked the UseCounters for this intent now that 51 has hit stable, and they are very consistent with what we saw during beta (details below).

0.27% in stable 
  • TouchDragUserGestureUsedCrossOrigin: like the above, but the touch was also targeted at a cross-origin iframe. I'd like to report a deprecation warning for this, saying we plan to remove support in M52.
0.06% of page views.  This seems consistent with the anecdotal reports of occasional pop-ups when scrolling (due to bad ads).  Of course it's possible there are some legitimate use cases mixed in here too, but it's rare enough that I think the benefit clearly outweighs the risk.  

0.06% in stable as well
Reply all
Reply to author
Forward
0 new messages