New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 587940 link

Starred by 25 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Remove message from onbeforeunload dialog

Project Member Reported by a...@chromium.org, Feb 18 2016

Issue description

onbeforeunload dialogs are used for two things on the Modern Web:
1. Preventing users from inadvertently losing data.
2. Scamming users.

In an attempt to restrict their use for the latter while not stopping the former, we are going to not display the string provided by the webpage. Instead, we are going to use a generic string.

Firefox already does this (see the attachment).

This does not violate the spec. Per https://html.spec.whatwg.org/#prompt-to-unload-a-document, step 7:

"The prompt shown by the user agent may include the string of the returnValue attribute, or some leading subset thereof. (A user agent may want to truncate the string to 1024 characters for display, for instance.)"

The prompt MAY include the string. We will no longer do so.
 
Screen Shot 2016-02-18 at 2.04.32 PM.png
87.6 KB View Download

Comment 1 by creis@chromium.org, Feb 18 2016

Cc: creis@chromium.org

Comment 2 by a...@chromium.org, Feb 25 2016

This is now an Intent, https://groups.google.com/a/chromium.org/d/msg/blink-dev/YIH8CoYVGSg/Di7TsljXDQAJ , which was approved by the API_OWNERS.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 11 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/141dbc132f8aa2588fad4cf50fbfd7a319234b61

commit 141dbc132f8aa2588fad4cf50fbfd7a319234b61
Author: avi <avi@chromium.org>
Date: Fri Mar 11 22:27:42 2016

Remove the ability of webpages to specify strings for the onbeforeunload dialog.

BUG= 587940 
TEST=as in bug
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Review URL: https://codereview.chromium.org/1714573002

Cr-Commit-Position: refs/heads/master@{#380755}

[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/DEPS
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/browser/aw_contents_client_bridge_base.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/browser/aw_javascript_dialog_manager.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/browser/aw_javascript_dialog_manager.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/native/BUILD.gn
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/native/aw_contents_client_bridge.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/native/aw_contents_client_bridge.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/native/webview_native.gyp
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/android_webview/ui/grit_components_whitelist.txt
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/chrome/browser/ui/cocoa/javascript_app_modal_dialog_cocoa.mm
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/components/app_modal/javascript_dialog_manager.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/components/app_modal/javascript_dialog_manager.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/components/app_modal_strings.grdp
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/components/test_runner/web_frame_test_proxy.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/browser/frame_host/render_frame_host_delegate.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/browser/frame_host/render_frame_host_impl.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/browser/frame_host/render_frame_host_manager_unittest.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/browser/web_contents/web_contents_impl.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/browser/web_contents/web_contents_impl.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/browser/web_contents/web_contents_impl_unittest.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/common/frame_messages.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/public/browser/javascript_dialog_manager.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/renderer/render_frame_impl.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/shell/browser/layout_test/layout_test_javascript_dialog_manager.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/shell/browser/layout_test/layout_test_javascript_dialog_manager.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/shell/browser/shell_javascript_dialog_manager.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/content/shell/browser/shell_javascript_dialog_manager.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/extensions/browser/guest_view/web_view/javascript_dialog_helper.cc
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/extensions/browser/guest_view/web_view/javascript_dialog_helper.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/LayoutTests/fast/events/before-unload-reloads-expected.txt
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/LayoutTests/fast/events/before-unload-returnValue-expected.txt
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/LayoutTests/fast/loader/form-submission-after-beforeunload-cancel-expected.txt
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/LayoutTests/fast/loader/show-only-one-beforeunload-dialog-expected.txt
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/LayoutTests/http/tests/misc/reentrant-beforeunload-expected.txt
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/LayoutTests/inspector-protocol/page/javascriptDialogEvents-expected.txt
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/Source/core/loader/EmptyClients.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/Source/core/page/ChromeClient.cpp
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/Source/core/page/ChromeClient.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/Source/web/ChromeClientImpl.cpp
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/Source/web/ChromeClientImpl.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/third_party/WebKit/public/web/WebFrameClient.h
[modify] https://crrev.com/141dbc132f8aa2588fad4cf50fbfd7a319234b61/tools/metrics/histograms/histograms.xml

Comment 4 by a...@chromium.org, Mar 14 2016

Status: Fixed (was: Started)
Shall we call this done?

Comment 6 by a...@chromium.org, Mar 25 2016

Cc: mea...@chromium.org a...@chromium.org
 Issue 579113  has been merged into this issue.

Comment 7 by a...@chromium.org, Mar 28 2016

Labels: Needs-Feedback
Tested the issue on windows 7 using chrome version 51.0.2704.4 on crbug.com Observed the String as like attached screen shot.

avi@ could you please check the screen shot and confirm is this the expected behavior? else please provide any specific website or test file to verify the issue from test team end.

Thank you!
587940.png
279 KB View Download

Comment 9 Deleted

Comment 10 by a...@chromium.org, Apr 12 2016

kavvaru: Yep, that is what we want!
Labels: -Needs-Feedback TE-Verified-52.0.2717.0 TE-Verified-M52 OS-Linux OS-Mac OS-Windows
Verified the issue on Windows 7, Ubuntu 14.04 and Mac OS 10.11.4 using chrome latest Dev M52-52.0.2717.0 and observed the pop up is displayed as shown in the comment #0 as expected. Hence adding TE-Verified label.

  
587940.jpg
210 KB View Download

Comment 13 by a...@chromium.org, Jun 6 2016

 Issue 616630  has been merged into this issue.
 Issue 618611  has been merged into this issue.

Comment 15 by tans...@gmail.com, Jun 16 2016

Same issue with me, I was working on my site and was informed that popup alert message is not working, previously this thing happened in Firefox and now in Chrome too! Im using Windows 8.1 latest version of Goolge Chrome
The default message seems to be "Do you want to leave this site?"

This is very misleading and assuming. My users are being taken to the next page in the workflow they are in... not leaving the site!

At a minimum, it should be "Do you want to leave this page?"
The message in Firefox is: 

"This page is asking you to confirm that you want to leave - data you have entered may not be saved"

This is much better as it does not state that you are leaving this site. Also, the message may be shown for other reasons, not because changes were made, as is implied in the new Chrome message.
 Issue 624729  has been merged into this issue.
Fixing an issue by removing a function works fast and easy. But that the problem behind hasn't been addressed here at all. A real fix would be to make the custom string harmless to the user. 

Do you really think that browsers are not able to render a custom string to the user without any security risk? Maybe when the string comes from a save cache created not before 2017^^

Comment 20 by a...@chromium.org, Aug 10 2016

 Issue 620834  has been merged into this issue.
I would like to propose that "onUnload" javascript functionality is malicious, and should be removed from the javascript standard altogether, and support for it should be dropped from browsers. When I click close button on a tab, take one wild guess at what I want to happen. Anything besides the tab closing is not what I want, and I consider it to be a malicious override of user control of my machine.
 Issue 708984  has been merged into this issue.
 Issue 708516  has been merged into this issue.

Comment 24 Deleted

Comment 25 by prim...@gmail.com, May 8 2017

I would like to suggest that there should be a list of whitelisted messages that could be displayed, and if the specified message matches one exactly then it should be displayed. I would happily choose from a list rather than be stuck with the 1 generic catch-all message that I'm currently stuck with.

Sign in to add a comment