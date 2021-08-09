



August 9, 2021

Last week I learned that the Google Chrome team plans to discontinue alert (), prompt () and confirm (). This is three browser-native ways to display a modal window to the user.

The wording of the ticket means that it only exists on cross-domain sites (that is, third-party iframes), which in itself destroys sites like CodePen. But if you dig deeper into the conversation, you’ll see that they actually plan to do this for all sites and implementations.

This is a major, web-breaking change that really shows how powerful the Chrome team is against the platform. Let’s dig into it.

Why does the Chrome team want to do this?

When reading messages and often trying to decipher technical words, the main reason is “security”.

Some malicious individuals prefer to use alert () etc. in cross-domain iframes for phishing. Non-technical users can be confused by alert (), prompt (), and confirm () appearing at the top of the window to prevent the rest of the page from loading. Believe in the message “There is a problem with the machine”. Disclose confidential information to hackers.

This is a real and valid concern, especially for third-party or cross-domain iframes.

However, I don’t know how this will be carried over to the alert (), prompt (), confirm () modals of the same domain. They have many useful uses, and if someone uses them for phishing on their site, they will use something else in the future.

Third-party blocking protects against unexpected injection attacks. Blocks of the same domain? I do not know.

So I contacted one of the supporters of Google Chrome developers I know to see if I could learn more. It didn’t work.

The Chrome team treated this very badly

Supporters of the developers I reached out found that my wording was controversial. I’m not going to link to the original tweet, but this is what I wrote.

Do you have any insights on deprecated alert (), confirm (), prompt () in Chrome? There is a cross-origin debate, but it seems that the same origin will be removed as well.

I feel this is myopic at best.

The answer I got is included (I’m paraphrasing here) …

Did you actually read the discussion thread? It’s all spelled out there. alert (), prompt (), confirm () block the main thread. This is a long and slow road. I won’t do this tomorrow. Did you actually read the discussion? Seriously, it’s so clear!

The disdainful refrain, “I’m sure you actually read it,” favors AF. This is the “just” or “simply” equivalent of the developer documentation.

I read. I didn’t understand. So I asked someone whose literal job is to communicate with developers about the changes Chrome makes to the platform.

This is not limited to one Chrome developer. The entire message thread that this change has surfaced is full of people begging Chrome not to proceed with this proposal, as Chrome will break everything.

This includes such responses, such as responses to interruptions in CodePen …

This is fantastic! This means that you will not use these features in the future. This serves our goal of ultimately deprecating and removing it from the platform. In this case, I’m really happy to be able to learn about the problem in a low stakes learning environment rather than in a production environment.

It was good to break your site! We have shown your favor!

Since discontinuing this feature across the platform is a “long and slow road”, Google has already deployed these changes to cross-domain iframes, breaking numerous sites and virtually no communication about it. was.

alert (), prompt (), confirm () are more than just “learning”.

One of the big conversational themes I’ve seen about this is that alert (), prompt (), confirm () are good for people learning the platform, but not much else. That is.

That’s nonsense!

There is no other accessible browser-native way to display modal windows. Dialog elements are an inaccessible mess that has never been implemented cross-platform and does not work well where it is implemented.

The modals of alert (), prompt () and confirm () are simple, easy to access and get the job done. They aren’t pretty, but they’re more than just learning.

It’s a great way to see what the user is doing before making any significant changes (such as submitting a form or deleting data). The boring and platform-specific features are great! I want more.

The fact that they “block the main thread” was also mentioned a lot. Personally, I think this is a feature, not a bug. The overall point of the modal is to prevent the user from doing anything else until the user has dealt with it. It’s literally what they were designed to do. Not everything needs to be asynchronous.

Cross-domain modal security issues are realistic, but they can be addressed in other ways. Some people are proposing permission properties for the iframe element itself.

(In fact, there is already a way to do this!)

Others have suggested adjusting the modal placement and style to make it clearer that the modal is part of the website or iframe itself, not a system notification from the device’s operating system. ..

Chrome is too powerful on the web

Chrome accounts for an estimated 65% of the browser market share on all platforms. This is bad for the web.

This has a history of pushing platform changes without the consensus of other browser vendors. Sometimes that change is good for the web. Sometimes they are bad. But there is a reason for the standardization process.

A few years ago, Microsoft Edge switched from its own rendering edge to Chromium, Google’s rendering engine that enhances Chrome. Many standard people lamented the loss of another rendering engine, but Chrome people argued that it was better to compete for features that are on top of the shared engine.

But what if the company that manages the platform makes a one-sided change?

The Edge team decided to keep the latest updates instead of removing alert (), prompt (), confirm (). This basically requires you to keep a forked version of Chromium or do whatever Google wants to do with Chromium.

One browser vendor cannot deprecate long-standing platform features without consensus from other vendors.

Features are generally not deprecated, as backward compatibility is so important, but they do occur in some cases. But when that happens, it needs to be part of a standardized process.

Temporary grace

Google has rolled back cross-domain iframe changes for at least six months and weeks. This gives you more time to fix potential issues on your platform.

But it doesn’t address the underlying issue here. Chrome decided to destroy most of the web because only they decided it was the right thing to do.

There are people in the message thread who are willing to agree that the Chrome team won’t break everything for weeks and are seeking some alternatives to allow alert (), prompt (), confirm (). .. Still limited use.

To be honest, I’m not sure how to get there. Currently, there is no replacement for platform-native modals.

update

After pressing publish, I learned that this was clearly part of the standard process, the developer was Safari, and Firefox agreed to the change. This is the specification of GitHub.

Considering how many people were surprised by it, it seems that it wasn’t really widely disseminated. Obviously, that’s very bad for a significant change.

Communication and feedback on how this will affect the people who actually build things on the web, especially if there is a change in the platform, especially if it’s broken, is very important and will not be done here. It was.

This situation was exacerbated by the general rejection of valid concerns by the Chrome team until the Chrome team got enough attention to roll back the changes a bit.

Sources 1/ https://Google.com/ 2/ https://gomakethings.com/google-vs.-the-web/

