Google cancels change of alert from Chrome browser that broke websites, web applications • The Register

0

Google has temporarily rolled back Chrome’s removal of browser alert windows and other prompts created via cross-originated iframes after a difficult deployment over the past two weeks that shattered web apps and alarmed developers.

An iframe, or Inline Frame, is a part of a web page embedded within another web page. When it includes resources from a different origin or domain, it is a cross-origin iframe.

As of March 2020, the team behind Chromium, Chrome’s open source engine, has planned to limit the capabilities of cross-origin iframes because they are a security concern. Specifically, they allow an embedded resource such as an ad to present a prompt as if it were the host domain.

“The current user experience is confusing and has already led to parodies where sites claim the message is from Chrome or some other website,” a Google engineer explained in the initial notice of intent to delete of the company last year.

“Removing support for the ability of cross-originated iframes to trigger UI will not only prevent this type of impersonation, but will also unlock new efforts to make the dialog box more recognizable in part of the website rather than the browser. “

Google’s response to spoofing has been to prevent JavaScript code in cross-originated iframes from calling the alert, prompt, and confirmation methods on the browser window object – that Web developers use it to display dialog boxes for notifications and user interaction.

In doing so, Google broke more than a few web applications. And finally, Google plans to completely remove these prompt mechanisms (contexts of the same origin as well as those of cross-origin), again to avoid potential abuse.

The depreciation of window.alert, window.prompt, and window.confirm cross-origin iframes took effect with the release of Chrome 92.0.4515.107 on July 20. Since then, applications like the Codepen and Microsoft social development environment Azure Cosmos Database encountered issues as they present users with alerts, notifications, and confirmation windows via cross-origin iframes.

In the Chromium issue where deletion is being tracked, the developers stepped in to express their dismay at the way this change was forced on the web community.

“This change created a lot of difficulty for us as we are using a paid third-party service integrated through iframe in our web application and I pass a small amount of limited custom JavaScript to this third-party application when I instantiate their tool (to trigger certain actions and customize part of the tool for the user), “wrote a developer last week. “… With this change, I am struggling to implement a window.parent.postMessage workaround because pieces of our web application are now broken for our tens of thousands of users. “

“I am an engineer for a large ERP company and working on a product where hundreds of large customers (hundreds of thousands of users) are no longer able to use the product due to the removal of the original dialogs. cross, ”wrote another developer.

“These customers typically choose to host the product themselves, which means that the original registration would be up to each of them individually. This is not feasible for us or their IT departments. We’re not even able to make it work internally. We also receive reluctance asking them to remove the settings from the registry. “

My team is working around the clock and on weekends to try to rewrite our product around this change.

“My team is working around the clock and on weekends trying to rewrite our product around this change and just needs more time. This type of change should have been documented and warned in advance in my opinion. “

The outcry turned out to be talkative enough that Microsoft Edge last week rolled back changes to its upstream Chromium code to restore dialogs to cross-originated iframes. Shortly after, a Google engineer said Chrome had disabled its obsolescence until August 15 to give developers more time to rewrite their apps.

Google even implemented a four-month “reverse-origin trial” that temporarily revives cross-origin prompts for Chrome users and gives developers who renovate large web apps more time to find replacements for them. exiled API methods.

“This is the Chrome spike; what seems like a reasonably good idea that is hampered because it was thoughtlessly pushed back without making any serious effort to notify those involved or make sure nothing else gets broken. , or make sure it completely fixes the problem, “developer Daniel Shumway wrote in an article on Hacker News.

“The product owners at Chrome are smart, but they’re sloppy and constantly breaking the web because they don’t seem to have enough sense of gravity or caution about what they’re doing.” ®



Source link

Share.

Leave A Reply