back to article Google hits undo on Chrome browser alert change that broke websites, web apps

Google has temporarily reversed Chrome's removal of browser alert windows and other prompts created via cross-origin iframes after a rocky rollout over the past two weeks broke web apps and alarmed developers. An iframe, or Inline Frame, is a portion of a web page embedded in another web page. When it includes resources from a …

  1. Anonymous Coward
    Anonymous Coward

    Causing a lot of applications to break for a while was probably the only way the gain significantly meaningful attention. Who reads the docs? And if they they read the docs, who pays attention to deprecation warnings? Might as well be sounding off about climate change. On this one, Google gets a pass.

    1. Anonymous Coward
      Anonymous Coward

      If they'd attempted to notify people and been ignored this would be much less of an issue.

      I like how you made sure to get the first post and make it pro-Google, that looks really natural. On this website we tend to favour the big players and not take the piss.

      Yes, I am being sarcastic.

      1. Dinanziame Silver badge

        There's being against big players, and there's being against shoddy code that uses hacky and outdated solutions. Who's using alerts in this day and age?

      2. Cliffwilliams44 Bronze badge

        Well, Chromium announced last year that this would be depreciated! That means that this is coming to the upstream browsers! This is the problem we have with much of the "corporate" applications out there. The Devs use shoddy practices and seldom update their code! Like Our companies EPR only working in Internet Explorer until 2 years ago, like this same EPR not supporting LDAPS yet, when Microsoft has been trying to depreciate that for 2 years!

  2. bofh1961

    Tightening security always breaks stuff. Users prioritise functionality over security so developers do too. Others get to fix the security holes - after they've been exploited.

    1. Mike 137 Silver badge

      "Tightening security always breaks stuff"

      Sometimes it even breaks security. Recently, without any warning Firefox disabled a perfectly safe security plugin that had provided control over cross-domain content because it was considered to be "not signed". It worked though (for ages), but now it no longer protects me.

      As a security professional I do so wish these externally provided "security" measures were optional, not forced on us without the choice.

      1. Cliffwilliams44 Bronze badge

        Re: "Tightening security always breaks stuff"

        Seriously, your complaining about that?

  3. Blofeld's Cat Silver badge
    Facepalm

    Hmm ...

    "Specifically, they allow an embedded resource like an ad to present a prompt as if it were the host domain."

    Perhaps the developers forgot where Google derives most of its revenue from.

    "The grand emperor has sent me here to inform you that the spice ads must flow."

  4. Pascal Monett Silver badge
    Flame

    "Chrome has disabled its deprecation until August 15"

    2022 ?

    No, seriously, just ten more days ? How generous, Google.

    It's obvious you are not the one putting in the overtime your changes have imposed.

    Now that you've caused the stink, you could at least give something like 60 days for developers to analyze, define and implement the required changes.

    It's not like the Web will break in that time anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Chrome has disabled its deprecation until August 15"

      But ten days is enough for Google to throw untested code into Chrome and force it on the masses. They are just passing on their Best Practices to other companies to follow their lead in throwing out untested code.

      Next those companies need to also learn how to ignore their clients screams when things fail to work.

      1. willum0806

        Re: "Chrome has disabled its deprecation until August 15"

        "They are just passing on their Best Practices to other companies to follow their lead in throwing out untested code."

        You mean like Microshaft?

  5. Sgt_Oddball Silver badge

    So what of...

    Card payment services? Alot of them use an embedded iFrame to offload liability within the PCI-DSS compliance framework. Think of a large company with many different brands taking payments, do you a) Certify each and every site to the top PCI-DSS level 1 merchant compliance with all the security checks that entails, b) Create a separate entity to handle all payments for all sites and use an iFrame to handle the payment (thus meaning no money is put through each individual site but only the payment service, and only needs one site to be fully scrutinised). Or c) Hand it over to a 3rd party provider like PayPal for example... again via an iFrame.

    1. Robert Grant Silver badge

      Re: So what of...

      So what? Do they pop up Javascript alerts?

    2. Tom 38 Silver badge

      Re: So what of...

      There's no problem with embedded iframes, just with an iframe using alert, prompt and confirm as though they are the main website.

      Don't do those things, and you're golden. HSBC don't, Paypal don't.

      The way Google rolled it out is bad, but using alert/prompt/confirm is bad UI in 2021 anyway. This change isn't going to break things significantly , because the vast majority of iframe users don't use these modal prompts anyway, and will force the ones that do to correct their bad UI, whilst preventing bad actors from abusing it.

      What they should have done, instead of forbidding it and instantly breaking these apps with bad UI, is present the message in a way that is ugly and would make users complain, whilst still allowing the app to work.

      Eg, before displaying the alert, chrome could have displayed a message "This app is attempting to display an alert which does not come from the original website" and force the user to click OK before displaying the actual message. This would have not broken the apps that are still using it, but they would want to fix their app so that users no longer see such a message.

  6. elsergiovolador Silver badge

    Chrome is not a browser

    When people realise that Chrome is no longer a browser but a tool to use Google Apps?

    If you want a real browser download Firefox.

    1. brotherelf

      Re: Chrome is not a browser

      That would be the Mozilla Firefox that disabled HTTP Basic Auth for iframe a couple of years back for a version? (They gave much the same bullshit reason: "we cannot figure out a way to show in the UI who triggered the request")

      1. Throatwarbler Mangrove Silver badge
        FAIL

        Re: Chrome is not a browser

        Why are you using http basic auth? Do you also store the user credentials in plaintext?

        1. Michael Wojcik Silver badge

          Re: Chrome is not a browser

          Because no one uses TLS? And <input type="password"> is magically safer on the wire than Basic Auth?

    2. Claverhouse Silver badge

      Re: Chrome is not a browser

      When people realise that Chrome is no longer a browser but a tool to use Google Apps

      When people realise that Chrome is no longer a browser but a tool to use Google Ads ?

  7. Anonymous Coward
    Anonymous Coward

    Breaking the appalling CosmosDB UI in Azure Portal can only increase world happiness.

  8. tiggity Silver badge

    Shame

    Google do a lot of bad things with chrome, but this was a good thing for security (& web apps that fail due to this deserve it, too much cross origin js fuckery around (too much js full stop, but that's a separate rant)).

    At least they will reinstate it in a while

  9. trevorde Silver badge

    The browser is the new operating system

    Don't forget to test your app on:

    * previous versions of Google Chrome (for those orgs who fix on a particular version)

    * Firefox

    * Microsoft Edge

    * Internet Explorer 6

    1. ThatOne Silver badge
      Devil

      Re: The browser is the new operating system

      Test?

    2. Anonymous Coward
      Anonymous Coward

      Re: The browser is the new operating system

      I always test for Internet Exploder - then I tell the users to stop using such a stinking pile of old crap and display a list better alternatives (with Firefox first in the list).

    3. Cliffwilliams44 Bronze badge

      Re: The browser is the new operating system

      "Don't forget to test your app on:

      * previous versions of Google Chrome (for those orgs who fix on a particular version)

      * Firefox

      * Microsoft Edge

      * Internet Explorer 6"

      Really? This is a fight we've had to have with both internal and external developers over and over.

      "It only works on Chrome X.X.X" No! that version has security vulnerabilities! We will not allow it!

      "You must use out app in I.E!" Hell no!

  10. Irongut Silver badge

    Other browsers are available

    No one is forcing you to sell your soul to Google, no one forced you to support or use Chrome - you chose to do it voluntarily.

    You could stop feeding the beast and those alerts would magically work again.

    1. This post has been deleted by its author

    2. General Purpose Bronze badge

      Re: Other browsers are available

      That's fine if you're a user. What do you do if a service on your website has been broken for most of your customers? Tell the complaints department to tell customers to use another browser?

      1. Someone Else Silver badge
        Go

        Re: Other browsers are available

        Why not? I've been told to use Chrome or Insecure Exposer becasue they (the website) can't handle (read: get around the security built into) Firefox. I'm looking at you, Paramount+....

        1. General Purpose Bronze badge

          Re: Other browsers are available

          We're losing sales, we're losing customers who'll remember our website's no good and never come back, and you're saying "Why not"?

          1. Someone Else Silver badge

            Re: Other browsers are available

            Fix yer damn website, and you won't have those problems. Simples.

            Oh, but it will take effort, and quite possibly expertise that your 'web designers' may not now (or ever) possess.

        2. Someone Else Silver badge

          Re: Other browsers are available

          I'm looking at you, Paramount+....

          Oh, and Costco...can't forget about Costco's 'website'....

          El Reg, where's the vomit icon?

    3. Cliffwilliams44 Bronze badge

      Re: Other browsers are available

      How many of these other browsers are Chromium based! This is not just a Google issue, it is ALL chromium based browsers! And if some other browser i.e. Firefox, allows bad practices that create security holes should we allow that in our organization? I think not!

  11. Anonymous Coward
    Anonymous Coward

    alerty

    This is a huge problem especially with mobile web browsers.

    Malicious ads popping alerts claiming the users device is infected with viruses etc,

    I've been tracking malicious mobile ads using AdMaven, Taboola and ADFly for several months.

    One of the scripts used is Alerty:

    https://github.com/undead25/alerty

  12. Someone Else Silver badge

    With this change I am scrambling to implement an ugly window.parent.postMessage workaround because chunks of our web app are now broken for our tens of thousands of users."

    Well, perhaps cross-origin iframes were not such a good idea (read: convenient hack) in the first place?

    Reminds me of the hue and cry that accompanied the removal of the ALTER verb from Cobol-80. (For those of you are not Boomers, Cobol's ALTER verb allowed one to write self-modifying code; a practice that ranks right up there with the indiscriminate use of GOTO1 in the level of disdain.)

    1Well, for languages that are block structured, anyway. Not much you can do in Fortran IV without it, to be sure, but for C...

    1. swm Silver badge

      I started writing code in 1960 so I am grandfathered for GOTOs.

      1. Jeffrey Nonken

        1973 here, but same. First language was FORTRAN IV on an IBM 1130.

        I didn't know about ALTER but I'm not fluent in COBOL.

    2. MarkSitkowski

      I write self-modifying code in 'C'. It's more secure than encryption...

      1. Michael Wojcik Silver badge

        It's more secure than encryption

        "This apple is more food than baking!"

    3. Michael Wojcik Silver badge

      Not 1980. ALTER was moved to "Obsolete" status in COBOL-85 and removed entirely in COBOL-2002.

      It might be worth noting that ALTER didn't enable arbitrary code modifications. It only permits changing a specific subset of GO TO statements (they have to be non-computed GO TOs that are the only statements in their enclosing paragraphs) to refer to different labels.

      Since COBOL's GO TO uses paragraph names as its labels, and given the restrictions on COBOL's paragraph-level control flow and the aspects of it which the standard leaves to the implementation, ALTER can easily be implemented without actually modifying code at runtime. It can be treated as syntactic sugar for conditional branches or implemented with (the equivalent of) function pointers, for example.

      The primary argument against ALTER was that it made control-flow analysis too difficult, but it's really not any worse than function pointers in C. In fact it's better, because the target has to be in the same translation unit and has to be a literal; you can't play games with, say, dynamic symbol resolution as you can in many C implementations (if not in strictly-conforming C). Hysteria over an inflated bugbear.

  13. J27 Silver badge

    Why not just disable alerts entirely? It's not like they've been used for legitimate purposes by competent developers in years. And if you're a developer with a lot of old cruft in your code, changing standards are just more reason for your existence.

  14. YetAnotherJoeBlow Bronze badge

    Well...

    Move fast break things.

    So it is OK then?

    1. Cliffwilliams44 Bronze badge

      Re: Well...

      Yeah, it it. I would not say this was a "move fast" event. I have not looked but I'll wager this was somewhere on Googles developer sites stating this change was eminent. It certainly was announced by the upstream Chromium team.

      If one of our vendors apps was broken by this, yeah we would roll back a version if we had to but we certainly would put serious pressure on them to fix it if they want to remain a vendor for us.

  15. JBowler

    Disabling JavaScript should work too

    It should work because unlike the main window the IFRAME does not cause any notice of "JavaScript disabled" and there is no way for most people to work out how to re-enable JavaScript for the IFRAME domain because it is impossible to discover the domain without UTSL (and maybe not even then).

    I have JavaScript disabled in the sync'ed Chrome settings; so the disability applies to all machines running chrome which sync user settings. E.g. I set it up on Chrome on Windows 10 and it auto-applies to Chrome on Linux. Then users enable JavaScript for web sites where something doesn't work but they can't enable it for ad sites and other IFRAME nonsense because they simply don't know it is there. So far as I know enabling it for the advertised domain does not enable if for random frames from spy/ad/phish/secret domains embedded within the content. (Someone tell me if it does :-)

    I also seem to have 92.0.4515.107 Chrome installed with no problems but a user machine that was rebooted yesterday is now at 4515.131 Chrome support does at least say how to de-upgrade and prevent automatic upgrades - considerably better than iOS.

    I also installed pi-hole recently. Absolutely not one single complaint! In fact I think everything is going faster, but then I live in the land of no internet (the rural US).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021