Google hits undo on Chrome browser alert change that broke websites, web apps

If they'd attempted to notify people and been ignored this would be much less of an issue.

I like how you made sure to get the first post and make it pro-Google, that looks really natural. On this website we tend to favour the big players and not take the piss.

Yes, I am being sarcastic.

"Tightening security always breaks stuff"

Sometimes it even breaks security. Recently, without any warning Firefox disabled a perfectly safe security plugin that had provided control over cross-domain content because it was considered to be "not signed". It worked though (for ages), but now it no longer protects me.

As a security professional I do so wish these externally provided "security" measures were optional, not forced on us without the choice.

Re: "Chrome has disabled its deprecation until August 15"

But ten days is enough for Google to throw untested code into Chrome and force it on the masses. They are just passing on their Best Practices to other companies to follow their lead in throwing out untested code.

Next those companies need to also learn how to ignore their clients screams when things fail to work.

Re: So what of...

So what? Do they pop up Javascript alerts?

Re: So what of...

There's no problem with embedded iframes, just with an iframe using alert, prompt and confirm as though they are the main website.

Don't do those things, and you're golden. HSBC don't, Paypal don't.

The way Google rolled it out is bad, but using alert/prompt/confirm is bad UI in 2021 anyway. This change isn't going to break things significantly , because the vast majority of iframe users don't use these modal prompts anyway, and will force the ones that do to correct their bad UI, whilst preventing bad actors from abusing it.

What they should have done, instead of forbidding it and instantly breaking these apps with bad UI, is present the message in a way that is ugly and would make users complain, whilst still allowing the app to work.

Eg, before displaying the alert, chrome could have displayed a message "This app is attempting to display an alert which does not come from the original website" and force the user to click OK before displaying the actual message. This would have not broken the apps that are still using it, but they would want to fix their app so that users no longer see such a message.

Re: Chrome is not a browser

That would be the Mozilla Firefox that disabled HTTP Basic Auth for iframe a couple of years back for a version? (They gave much the same bullshit reason: "we cannot figure out a way to show in the UI who triggered the request")

Re: Chrome is not a browser

When people realise that Chrome is no longer a browser but a tool to use Google Apps

When people realise that Chrome is no longer a browser but a tool to use Google Ads ?

Re: The browser is the new operating system

I always test for Internet Exploder - then I tell the users to stop using such a stinking pile of old crap and display a list better alternatives (with Firefox first in the list).

Re: The browser is the new operating system

"Don't forget to test your app on:

* previous versions of Google Chrome (for those orgs who fix on a particular version)

* Firefox

* Microsoft Edge

* Internet Explorer 6"

Really? This is a fight we've had to have with both internal and external developers over and over.

"It only works on Chrome X.X.X" No! that version has security vulnerabilities! We will not allow it!

"You must use out app in I.E!" Hell no!

Re: Other browsers are available

That's fine if you're a user. What do you do if a service on your website has been broken for most of your customers? Tell the complaints department to tell customers to use another browser?

Re: Other browsers are available

How many of these other browsers are Chromium based! This is not just a Google issue, it is ALL chromium based browsers! And if some other browser i.e. Firefox, allows bad practices that create security holes should we allow that in our organization? I think not!

I started writing code in 1960 so I am grandfathered for GOTOs.

I write self-modifying code in 'C'. It's more secure than encryption...

Not 1980. ALTER was moved to "Obsolete" status in COBOL-85 and removed entirely in COBOL-2002.

It might be worth noting that ALTER didn't enable arbitrary code modifications. It only permits changing a specific subset of GO TO statements (they have to be non-computed GO TOs that are the only statements in their enclosing paragraphs) to refer to different labels.

Since COBOL's GO TO uses paragraph names as its labels, and given the restrictions on COBOL's paragraph-level control flow and the aspects of it which the standard leaves to the implementation, ALTER can easily be implemented without actually modifying code at runtime. It can be treated as syntactic sugar for conditional branches or implemented with (the equivalent of) function pointers, for example.

The primary argument against ALTER was that it made control-flow analysis too difficult, but it's really not any worse than function pointers in C. In fact it's better, because the target has to be in the same translation unit and has to be a literal; you can't play games with, say, dynamic symbol resolution as you can in many C implementations (if not in strictly-conforming C). Hysteria over an inflated bugbear.

Re: Well...

Yeah, it it. I would not say this was a "move fast" event. I have not looked but I'll wager this was somewhere on Googles developer sites stating this change was eminent. It certainly was announced by the upstream Chromium team.

If one of our vendors apps was broken by this, yeah we would roll back a version if we had to but we certainly would put serious pressure on them to fix it if they want to remain a vendor for us.