Issue metadata
Sign in to add a comment
|
Disable window.navigator.vibrate |
||||||||||||||||||||||||
Issue descriptionThe window.navigator.vibrate() call is used to vibrate the phone. This "feature" should be considered the modern equivalent of the <blink> tag. I have only seen it used by spammy ads (along with a Javascript alert()) that cause the phone to vibrate and warn the user that they are infected with malware. There is no need for this API to exist in the real world, apart from very limited use cases. I believe it does more harm than good, and we should remove support for this API on mobile. The one exception we might consider is for notifications being sent by a ServiceWorker, however, I assume in that case the SW is using the OS-level notification surface which gives the user control over whether notifications play a sound, vibrate, or something else. Example: Visit https://jsfiddle.net/yo6zv9uh/1/ from a phone, and feel the device vibrate.
,
Aug 17 2016
Sorry for going overboard here, it's just that in many thousands of hours using the mobile web, the only cases I've seen of this API are abusive ads. I'd love to know what those legitimate use cases are, and how this is actually being used in the wild. Is there any way we can get data on that? On the other hand, maybe we could use this API as a signal that a site is potentially abusive, so in that sense it might be useful to keep it. I'll try to dig up some cases of the ads I'm talking about - they are sometimes tricky to find in the wild unless you hit very shady websites.
,
Aug 17 2016
Oh, it wasn't that hard to find a case. I went to pagalworld.co (a very popular Indian music and video site) and upon clicking around on some ads there, I got this one: http://go.mobisynergy.com/?utm_term=20103679069&clickverify=1&utm_content=e…8fcddfcfd598cda696a49d8c88b88d8689bc8db2ddc5dddab7c1dbeeeeeee0e0eae88db214 which causes the phone to vibrate and redirects to a dodgy "Jackpot" site. If you stop the redirect from happening you will feel the vibration happening continuously on the original page.
,
Aug 17 2016
Also see crbug.com/625044 which applies only to cross-origin iframes. Kenji: I like the idea in crbug.com/625044 very much and it may be a good place to start. However, most of the vibrate calls I've run into aren't from cross-origin iframes (or iframes at all), they are from top-level pages that attempt to mislead the user into downloading malware. Do you have a sense of how much the cross-origin iframe intervention would impact the overall abusiveness of vibrate?
,
Aug 17 2016
Thanks for filing the issue. This is definitely a huge annoyance and we have specific plans in motion to prevent it. Specifically, we're first going to disable the use of vibrate from cross-origin iframes and then disable the usage of vibrate for the first 30 seconds or so when a user lands on the site. The former should prevent any issues with embedded ads, and the latter with full page malicious sites. Assigning to Emily - I've seen this topic come up in many different issues and threads now... I wonder if we could help this by making a centralized doc or issue about this that we could point them all to, so as to provide a canonical source of information and avoid repeating discussions?
,
Aug 17 2016
Also -komoroske now we have the issue triaged
,
Aug 17 2016
Sweet, thanks a bunch Owen and glad this is getting some attention. Perhaps you need to start Project Good Vibrations? :-)
,
Aug 17 2016
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by komoroske@chromium.org
, Aug 17 2016