Choice Words about the Upcoming Deprecation of JavaScript Dialogs

Many JavaScript newcomers start with this simple line:

alert("Hello, World");

However, Chrome's recent removal of alert() functionality within cross-origin iframes caused widespread issues, as evidenced by a surge in CodePen support tickets. This change, along with the deprecation of other native JavaScript dialogs like confirm(), prompt(), and onbeforeunload, significantly impacts websites like CodePen which rely heavily on cross-origin iframes for security. The lack of prior warning added to the frustration.

While security concerns are understandable (JavaScript dialogs appear identical regardless of origin, potentially confusing users), the abrupt change overlooks existing solutions like sandboxing. <iframe sandbox=""></iframe> provides robust security, allowing specific features to be enabled selectively (<iframe sandbox="allow-scripts allow-downloads ...etc"></iframe>). The existing allow-modals attribute seems insufficient, suggesting a broader goal: complete removal of JavaScript dialogs from the web platform.

This drastic measure would break countless tutorials and applications. Although the cross-origin restriction is delayed until January 2022, the planned complete removal, supported by Chrome, Firefox, and Safari, is deeply concerning. The lack of sufficient developer and user consultation is a major criticism.

The suggested alternative, postMessage, presents several drawbacks:

1. Non-blocking behavior: Unlike JavaScript dialogs, postMessage doesn't halt execution, altering application flow.
2. Code injection: Requiring developers to inject code into user code introduces technical debt and unexpected side effects (e.g., altering CSS selector behavior).
3. Security risks: Passing user-generated data to the parent frame introduces potential XSS vulnerabilities.

Even simpler workarounds, like window.alert = console.log, share similar problems.

Many developers have voiced concerns:

• Jaden Baptista: Suggests containing the alert within the iframe itself, improving both security and UX.
• Matthew Phillips: Critiques the decision as prioritizing certain websites over others.
• Dan Abramov: Expresses concern over the lack of respect for existing use cases and implementation complexity.
• Ben Lesh: Points out that some applications use the blocking nature of alert() as a feature (e.g., pausing games).

The cited metric of 0.006% of page views using these functions in cross-origin iframes is misleading, as Dan Abramov highlights: critical functionalities, such as account deletion flows, might not be accessed frequently but are nonetheless essential.

Chris Ferdinandi and Jeremy Keith further emphasize the lack of communication and the significant impact on web development. The condescending responses from some within Google only exacerbate the issue.

While acknowledging Google's contributions to web advancement, the criticism focuses on the lack of developer and user outreach, insufficient discussion of implications and transition strategies, and a lack of openness to adjusting the course of action. More collaborative and transparent processes are crucial for future web platform changes.

The above is the detailed content of Choice Words about the Upcoming Deprecation of JavaScript Dialogs. For more information, please follow other related articles on the PHP Chinese website!