Open Bug 1624978 Opened 5 years ago Updated 4 years ago

consider removing support for dialogs (window.alert/confirm/prompt) from cross-origin subframes

Categories

(Core :: DOM: Window and Location, enhancement, P2)

Product:
Core
Component:
DOM: Window and Location
Type:
enhancement

Tracking

()

People

(Reporter: dbaron, Unassigned)

References

Details

Blink is looking at removing support for window.alert/window.confirm/window.prompt from cross-origin subframes; see the intent thread.

If Blink's work works out (in terms of web compatibility), it seems like we should follow them, given that this reduction of the ability of cross-origin frames to annoy users seems like an improvement for users.

(In reply to David Baron :dbaron: 🏴󠁵󠁳󠁣󠁡󠁿 ⌚UTC-8 from comment #0)

If Blink's work works out (in terms of web compatibility), it seems like we should follow them, given that this reduction of the ability of cross-origin frames to annoy users seems like an improvement for users.

Anne, is spec work needed? Does this interact with sticky activation?

Chrome Status page:

https://www.chromestatus.com/feature/5148698084376576

Chrome bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=1065085

Severity: normal → --
Flags: needinfo?(annevk)

It would be good if the specification called out that this never works for cross-origin subframes (for clarity, this is broader than the Fission boundary and would also apply when Fission is not in use, e.g., on mobile) and I think Chrome is willing to drive that change. They have not shipped anything yet here though. We could have a Nightly-only implementation as a starting point I suppose.

Also adding Johann and Paul as doing this would reduce the need for complicated security UI.

Flags: needinfo?(annevk)
See Also: → https://github.com/whatwg/html/issues/5407

I agree that this is clearly something we want to do and web compat may be the only issue.

Is there any point in suggesting a Permissions Policy attribute for this or should we avoid further complicating the matter (I'm leaning towards the latter)?

The latter seems better since these are not features we want to offer anymore. They are legacy cruft.

kmag recommends we implement soon behind a Nightly pref. If Chrome ships this feature, we'd like to be able to quickly ship it, too.

Severity: -- → N/A
Priority: -- → P2

Does this also apply to beforeunload-related dialogs?

No, this is just the 3 methods, but that seems worth tracking separately.

Chrome did this and it broke the web bad. They are backing it out until at least Jan 2022.

You need to log in before you can comment on or make changes to this bug.