Google Chrome Criticized For Breaking Change Over Disabling Alert() and Confirm() in Cross-Origin Frames

Google Chrome will disable JavaScript functions like alert() and confirm() inside cross origin-frames," reports Inside.com's developer newsletter.

"As this is a breaking change, developers are encouraged to update their apps and debugging tools before the update." A Chrome engineering team member said the team is disabling alert() to protect users from being tricked by scammers. Some are complaining this has already affected programming tutorials and Javascript learning sites that sandbox user-provided code in cross-origin frames. For those affected by the changes, Chrome advises the following:

- Get a few months' extension by signing up for the "reverse origin trial" so you can temporarily opt out of the change.

- Check out the enterprise policy.


The move has sparked controversy:

- One Discord engineer criticized the fact such a major breaking change is happening without extensive discussion on the matter.

- Another Twitter user echoed the sentiment of many when he argued the move will just hurt those who can't easily update sites while encouraging attackers to use pseudo alert functionality.
One of Google's Chrome engineers explained on Twitter that "Major browser vendors are generally aligned about wanting to move the platform away from alert() and friends, even though it will unfortunately involve some breakage...

"On breakage in general — breaking changes happen often on the web, and as a developer it's good practice to test against early release channels of major browsers to learn about any compatibility issues upfront."

Re:

[Anonymous Coward]

It would drive me mad.

it keeps us in business, it's the clients that suffer

Re:

[Aighearach]

If you use cross-origin frames you might already be mad.

IE6

[ThurstonMoore]

Chrome is the new IE6.

Re:IE6

[h33t l4x0r]

Fuck that. Any cross-origin horseshit can suck my hairy balls. Bringing frames into same origin is an easy fix for anybody that's legit.

Re: IE6

[ttfkam]

Except that the Chrome team is on record that this is only the first step. The end goal is dropping ALL such calls in ALL origins.

Re:

[arglebargle_xiv]

No mod points or I'd +1 it. The end goal is that everything will either be Google or will be sites that do things the way Google tells them.

Re:

[sabri]

The end goal is that everything will either be Google or will be sites that do things the way Google tells them.

Exactly. It seems that Google has become evil.

Re:

[The MAZZTer]

The whole point of using a different origin is because the code they're loading is potentially untrusted so they want to sandbox it. Bringing it into the same origin defeats that, and allows that code to access user data for that origin such as login tokens. For example, Google uses the domain googleusercontent.com for this purpose. That said apart from tutorials using "alert" for feedback I don't see how disabling alert/confirm/input is going to negatively impact much.

In addition it's not an unsolvable pro

Re:

[phantomfive]

Firefox is really great these days.

Re:

[Linux Torvalds]

Why would I want to disable Proton? It's fine.

Re:

[tepples]

In my experience, Proton doesn't show enough contrast between the appearance of the focused tab and that of other tabs.

Re:

[yuvcifjt]

Install a theme, such as ClassicWindows [mozilla.org] or Photon Colors [mozilla.org] or a multitude of other related themes.

That's unfortunately what I've had to do across various firefox profiles and instances, to fix some of the problems introduced by the yet-another unnecessary design change!

Unacceptable

[Anonymous Coward]

There is no excuse for browser vendors breaking web standards simply because they feel like it or they think they know better. Trying to normalize it by saying that's life we'll break whatever we please try to keep up is the same attitude that causes nobody to take Google seriously enough to depend on them for anything.

Re:

[brickhouse98]

I'd like to hear what "browser vendors" they're even talking about. Most "browser vendors" just use Chromium as a base so by doing this are they just making it a self fulfilling prophecy? Chrome truly is the new IE6 and no one should be pleased about that.

Re:

[Ichijo]

"A foolish consistency is the hobgoblin of little minds." --Ralph Waldo Emerson

Re: Unacceptable

[NagrothAgain]

"Multiple foolish inconsistencies is worse." some guy who actually supports systems at Scale, as opposed to sitting around a lake smoking opium and burning incense.

Re:

[truedfx]

When browser vendors are faced with a choice between following web standards and doing what their users want, the browsers that do what their users want win out. The web standards are clear what is supposed to happen when a web page has a neverending loop of window.open calls. The users are clear that any browser that implements that as specified is a browser that should not be used.

Google appear to believe that following web standards in this case is also hostile to users. I think there are other approache

Well yeah the standard clearly states that's confi

[raymorris]

> The web standards are clear what is supposed to happen when a web page has a neverending loop of window.open calls.

Yes, the specification gives a list of conditions under which window.open() shall return null, do nothing. An example would be if the user hasn't interacted with the page recently, or if the loop counter is too high. It then says if conditions are such that it's not required to do nothing, it can open a new window *if configured to do so in these conditions*.

https://html.spec.whatwg.org/m. [whatwg.org]

Re:

[Aighearach]

We don't want even one javascript-initiated popup, asshole. If we didn't click it, we don't want it.

Re:

[raymorris]

> We don't want even one javascript-initiated popup, asshole.

Then turn it off, asshole?

> If we didn't click it, we don't want it.

So what you're saying is that you *like* the standard?
If you're getting popups without clicking, you may wish to put that back to the default setting. Not sure why you changed that.

Re:

[raymorris]

I posted the link to the standard above. In case it wasn't clear, here's what the standard says:

There is a timer that is started when you "click" on something.
Except for accessibility it doesn't say "click", it says "interact with" because people could use keyboard shortcuts, their voice, etc. For your mouse-clicking use case, you can pretend it says "click".

When you "click", the browser is in the activation window for a chosen number of milliseconds or event loop cycles (the timer can be implemented either

Re:

[tepples]

don't click shit that opens in a new window

That doesn't help when the entire body element has a click listener that treats it as "shit that opens in a new window".

Re:

[raymorris]

So again, of you're having a problem with that on your haxed warez sites, set the browser config to not open new windows in response to JavaScript. It's under the "security" that in IE.

For Chrome:
On your computer, open Chrome.
At the top right, click More. Settings.
Under "Privacy and security," click Site settings.
Click Pop-ups and redirects.
At the top, turn the setting to Allowed or Blocked.

That's the reason the spec says the browser should check it's configuration. So you can set it how you like.

Re:

[angel'o'sphere]

Your link does not cover the topic about window.open.

As far as I'm concerned, unless I hit the key command-N/ctrl-N, or click a clink with ctrl/command down: the browser should not open a new window or new tab.

And it is much more annoying the other way around: I click with command on a link, and the damn javascript overrides to open it in a new tab, but displays it in the current tab.

Re:

[raymorris]

What I linked to is precisely the algorithm for opening a new window. You'll notice the very important "a new browsing context is being requested, and what happens depends on the user agent's configuration and abilities".

A new window is "a new browsing context". Of course a browser could be entirely auditory, or it could be completely automated so there is no UI, or it could be Lynx, so that section doesn't use the term "window" because your screen and mouse use case isn't the only use case. A new window is

Re:

[truedfx]

Yes, the specification gives a list of conditions under which window.open() shall return null, do nothing.

Apologies for not checking carefully enough to get the details exactly right, but unless there was already a specification or documentation covering pop-up blocking at the time that pop-up blocking was added to browsers, it doesn't make any difference. Pretty much all of HTML 5, including this, is a rewrite of the standard to get it close enough to what browsers did, acknowledging that browsers were no

Re:

[WaffleMonster]

When browser vendors are faced with a choice between following web standards and doing what their users want, the browsers that do what their users want win out.

Can you cite any evidence to support this or is this a guess?

The web standards are clear what is supposed to happen when a web page has a neverending loop of window.open calls.

Google appear to believe that following web standards in this case is also hostile to users.

Where this is true the solution is to get necessary stakeholder buy-in to amend standards.

I think there are other approaches that Google could take instead to protect their users, but to argue that they have to follow standards even if standards are unreasonable is not a good position to take.

The war on popups caused significant breakage while ultimately failing to stop popups yet at least users were given knobs and prompts to control the behavior.

Here there are no knobs, not even basic rate limiting just a unilateral decision without even bothering to conduct a study to even begin to guess what will break as a consequence.

This is no way for an or

Re:

[Aighearach]

When browser vendors are faced with a choice between following web standards and doing what their users want, the browsers that do what their users want win out.

Can you cite any evidence to support this or is this a guess?

Stuff your citations up your ignorant orifice.

Go and read about the history of the web and do you sum lurnun first in order to figure out if somebody is writing a theoretical paper that would need citations, or if they're talking about basic knowledge that you would have if you were older.

Re:

[WaffleMonster]

Stuff your citations up your ignorant orifice.

I'll take that as a no.

Re:

[angel'o'sphere]

Well,
for a small fee I could start writing a blog. Probably a set of blogs. Just like MadMann/blindseer.
You can then free of charge cite my blog.

Sounds like a win : win, or not?

Re: Unacceptable

[Malays2 bowman]

How about just not having popups and having a link people can click to get the info. Simple, huh?

Almost every time I see a popup, it's for an unwanted or abusive purpose. There are very few cases I've seen where there was a legit purpose for them, and that functionality could easily be done without a pop-up (log in screens, for example).

When I browse the web, I don't want shit just suddenly popping up, obscuring the content that I am trying to see.

Profit motive be damned. It's not a good market strategy to

Logging in without pop-up and without losing data

[tepples]

There are very few cases I've seen where there was a legit purpose for them, and that functionality could easily be done without a pop-up (log in screens, for example).

Say you have entered information into a form. The action performed by submitting that form requires being logged in. How would a log-in screen work? Navigating away from the form would cause information that you entered into the form to be lost. Creating a new browsing context, such as a pop-up, would preserve the information entered into the form so that you can return to it and submit it once you are logged in. What third option did you have in mind?

Re: Logging in without pop-up and without losing d

[Malays2 bowman]

"Navigating away from the form would cause information that you entered into the form to be lost"

Long ago this wasn't an issue. You could enter info in a form, navigate away from it, even browsing other pages for a few hours, then come back to the original form and all the info would still be there as long as the browser wasn't closed or crashed.

This changed during the past decade or so, with browsers defaulting to refreshing a page that was left idle for a while and switched away from. They claim it's to "

Re:

[bytestorm]

I think breaking ublock origin is actively harmful to users, so we'll see if manifest v2 ever goes EOL without addressing the problems. Google's track record is spotty with what's best for users.

Re:

[Aighearach]

There is no excuse for browser vendors breaking web standards simply because they feel like it or they think they know better.

May your screen forever blink, may your speakers forever spew advertising, may your fonts leave you wishing for comic sans.

Re:

[WaffleMonster]

May your screen forever blink,

I didn't support removal of blink tags either.

You can make anything you want blink with CSS animation without using any JavaScript. Instead of blink tags a div or span assigned to a blink class achieves the exact same thing except you have way more control over how obnoxious you want it to be than blink ever provided.

Removing blink as a solution to obnoxious sites neither solves or prevents anything. Part of the issue I have with some of the reasoning here is failure to consider predictable repercussions

Re:

[DamnOregonian]

Google is notorious for not considering the repercussions. They simply don't care.
When you find the bugtracker for whatever change caused the issue you're trying to track down, the answer is "we have determined it's what our users want, so we won't be fixing it. We recommend you use the new Google way of doing things"

Trying to keep up with Google's constant march of turning Chromium into IE costs my employer significant money (in the form of my time)
This last year, we finally made the call to stop suppo

Re:

[tepples]

It sounds like you'll end up maintaining two browsers: Firefox for internal applications and Chrome for those external applications that deliberately block Firefox, such as Skype.

Re:

[tepples]

Debian 11 "bullseye" ships Firefox 78.12.0esr. Ubuntu 21.04 "hirsute" ships Firefox 90.0.2. I visited web.skype.com with each browser within the past five minutes, and each produced a mostly blank page stating the following:

Browser not supported

Download the new Microsoft Edge to access Web.Skype.com and get the best of the web.
Alternatively you can use Skype Web Control or download Skype on your desktop computer.

Are you referring to Skype Web Control?

"Major browser vendors agree"

[peppepz]

Google feel themselves to be the monarch of the web so much that they have started speaking of themselves in the plural number.

Re:

[peppepz]

Also, "breaking changes happen often on the web"? This had stopped being the case since the Netscape vs IE wars ended. Standardization is supposed to prevent breaking changes, but now instead of standards we get "living standards". And the insurance against breakage is to use cloud services kindly provided by the same people who make the "living standards", instead of rolling your own software.

Re:

[mysidia]

I'm afraid Google won't take it seriously unless "Alert() in a cross-origin frame" gets added as a test case for verifying compliance with a standard, and some important entity
  requires validation according to the standard to qualify for some high-value contracts involving choice of endpoint devices/browsers.

Re: "Major browser vendors agree"

[Malays2 bowman]

As I said before Google, Apple, and the likes of them have achieved God mode.

Sure there are other browsers, but all sites will eventually be "best viewed on Chrome(ium)", best viewed meaning you better be using something Chrome based if you want to be able to use your bank's website, or do anything else on the modern web.

Re:

[fahrbot-bot]

As I said before Google, Apple, and the likes of them have achieved God mode.

Well... They probably believe that anyway ...

Re: "Major browser vendors agree"

[Malays2 bowman]

It's not hard to see why they think that way :-\

They have to do something realky fucked up to get themselves hurt bad, and in this day and age they practically have to work hard with this intent for that to happen.

Those with the gold make the rules.

Want to stop scams?

[DrXym]

Just put the message box / alert in a style of popup that makes it clear to the user that it is a 3rd party popup. If necessary show warning glasspane that covers the alert with a link to more info that the user must acknowledge before clicking the buttons.

Re:Want to stop scams?

[iggymanz]

no, popups are annoying as hell, the proper and good thing to do is to break the marketing scum's shit.

Re:

[DrXym]

Either way it breaks the scum's shit. It's just by adorning the popup with warnings gives a user ample chance to understand the risks without breaking existing functionality.

Re:

[iggymanz]

No, popups interrupt thought and work flow and waste time. Popups are pandering to morons. Plenty of ways to do that to the side without interrupting browsing.

Re:

[billyswong]

In Firefox, the originating domain is shown in the popups. One webpage's popup also no longer block access of other webpages nor the browser UI since many years ago. I think it would be okay if Google Chrome introduce a way for webpages to block iframes from doing Alert() / Confirm() popups in a case by case status, but not like this.

Re:

[AmiMoJo]

Is there any legitimate use for these functions?

Aside from debugging I can't think of one.

Re:

[WaffleMonster]

Is there any legitimate use for these functions?

Aside from debugging I can't think of one.

Confirm is often used prior to doing something with irreversible consequence like deleting something.

Alert to get your attention to know something important before you continue with what you are doing.

There is nothing bad or inherently wrong with these things. Most GUI systems provide similar dialogues with similar properties. They are quite limited in terms of controlling presentation however this gives user agent more flexibility to optimize presentation and are dirt simple to use. To get similar modal

Macintrash

[tepples]

Confirm is often used prior to doing something with irreversible consequence like deleting something.

"Are you sure?" for deletion is not an ideal user experience. Apple demonstrated another paradigm with the launch of Mac OS in early 1984.

System 1

When a user deleted a file, Finder (the file manager) marked the file for later deletion, which would occur once the disk was unmounted or Finder closed. Until then, the user could open "Trash", a list of all files marked for deletion, and choose a file not to delete. At the time, Finder closed whenever an application was opened.

MultiFinder (System 5 and 6)

Later v

Re:

[WaffleMonster]

"Are you sure?" for deletion is not an ideal user experience.

You have no way of reasoning about what is ideal or not because you have no clue what the irreversible consequences are. The confirm dialogue could be asking you to confirm the launch of a rocket ship for all you know.

Apple demonstrated another paradigm with the launch of Mac OS in early 1984.

Many mail clients use a similar paradigm, with a Trash folder or label that causes messages to be deleted 30 days later.

Ok wise guy... what happens when you empty the trash folder? Does it go into another trash folder?

Re:

[Aighearach]

Just put the message box / alert in a style of popup

... up your ass, bootlicker. Users don't want popups.

Re:

[Tony Isaac]

You think people actually read pop-ups? Hardly. They just click whatever it takes to make it go away. No, popups are evil and should be completely eliminated from the language. I really don't care if it breaks somebody's code.

Compatibility Mode Flags or Startup parms

[Canberra1]

The way IBM mainframes traditionally handles incompatibility changes is to include a letter or flag in the startup parms. It really is easy, and gives clients little grief if they actually read the release notes (Note, when maintenance subcontracted out - admins rarely do). While this seems like a twist on cross-site scripting, I think it is softening up 'fingerprinting' for third party ad tracking, so when Google transitions out of cookies - that's it, there is no alternative but to cough up. Microsoft is up to similar tricks, and only special customers get to use undocumented calls for what is loosely a semaphore or flag alert. The usual way of sneaking around this is to launch a light spin loop, with timed interrupts, Traps for new players include deadly embraces, and breakages when the master scheduler demotes these remote observation tasks. Also nice is when a global variable is demoted to a local. Then things break when sandboxes and VM's are overlayed. I think it is lovely. Break modular / object programming, break overlays, break inter-process communication, and the kicker, add remote latency. Compatibility flags - what are those? - when other motives are involved.

Re:

[Wrath0fb0b]

But this is the inverse -- Chrome is the client and it's the one changing how it will interact with a service.

Can we remove windows notifications as well?

[SmaryJerry]

Ever site now wants permission for notifications and no I don’t ever want a notification. Does anyone ever actually want a website to start notifying them in their OS? Is this the new rss feed?

Re:

[thegreatbob]

There are uses for this, but definitely would prefer to be able to *easily* turn off this very abusable feature. Think similar to the "oh hey you just typed a username/password, shall I remember that for you?" Yes, No, [Never ask again]

Re:

[Oligonicella]

There are uses for this.

Name a couple of uses for some random website to send you OS level messages.

Think similar to the "oh hey you just typed a username/password, shall I remember that for you?"

Already have modal pop-ups that do this. No need to involve OS notifications.

Re:

[DamnOregonian]

How narrow minded.
On one tab, you've got collaborate web application open. Someone else does something that requires getting your attention.
You clearly can't pop up a modal alert across tabs, so I guess... well, fuck it, right?

Just because you can't perceive a need for something doesn't mean there isn't one.
The fact that the request mechanism is being abused is a real problem, and should be addressed like real problems are addressed.

Re:

[DamnOregonian]

Conceiving of scenarios where something has value is merely the start of the journey. It also necessary to consider all reasonably inferable implications of a feature good or bad and weigh them accordingly.

Don't think we disagree there.

If there was a direct memory access API built into browsers and websites started abusing it to install malware, extract passwords and sensitive data from systems of users visiting websites one could just as easily invoke this same garbage to justify that as well. Oh the problem is the abuse never the brain dead stupid idea to begin with.

No, you would figure out how to secure the mechanism.
Removing it? Shit, we'd still be running DOS if that was how modern operating systems handled security flaws that needed tightening.

The notifications were an absolutely idiotic idea from the very start. It was blatantly obvious from the very beginning abuse would be the primary use case. It has shocked nobody that this has turned out to be the case.

Na. The alerts are used extensively by many things- particularly debugging of web applications.
Dumbfuck users always amuse me.

Re:

[LenKagetsu]

Name a couple of uses for some random website to send you OS level messages.
Notifications on Github.

Re: Can we remove windows notifications as well?

[Malays2 bowman]

And this will continue to get worse and worse. Most people just happily take the abuse.

Re:

[Anonymous Coward]

Ever site now wants permission for notifications and no I donâ(TM)t ever want a notification. Does anyone ever actually want a website to start notifying them in their OS? Is this the new rss feed?

Yes, I have it enabled for two specific sites. There is a third site that does not use them, but I would enable it if they did.

However I agree with you 100%

This needs to be changed to a default of no and user action to enable, and get rid of the damn prompts completely.
An icon showing in the address bar to show it as available is plenty, and clicking it to select 'enable' for the extremely rare times it is desired.

In case anyone is curious, I prefer the web interface to Discord and Mastodon, and use deskto

Re:

[thegarbz]

Does anyone ever actually want a website to start notifying them in their OS? Is this the new rss feed?

Yes. Do you use your browser to look at webpages like some kind of 90s kid? I personally use it as a IM platform, and an email client. The ability to trigger desktop notifications is indispensable.

Mind you I have that shit disabled for shitty websites that have no business sending me any of that shit, but that doesn't mean the browser doesn't require that functionality.

Re:

[EkriirkE]

I like notifications for forums, rather than email alerts

Y'know ...

[thomst]

Back before Firefox broke its entire plug-in ecosystem, NoScript used to offer the option to completely disable cross-site scripting. Now, it can only "sanitize" it.

The original recipe turned off both alert() and confirm() altogether. Extra crispy now just offers you the option on the fly. Kinda.

If turning off those capabilities breaks your website, either you're a tool or an idiot, depending on whether you're responsible for rolling your own, or you let some hosting company throw a load of ad-company vampireware into your pages on the fly to help "monetize" your content ...

Re:

[Aighearach]

That's odd, uMatrix doesn't have any trouble at all stopping cross-site scripting.

Re:

[thomst]

Aighearach observed:

That's odd, uMatrix doesn't have any trouble at all stopping cross-site scripting.

Thanks for making my point for me!

In case you missed it, it was, "The only ones complaining about this change in Chrome are ad companies, data miners, and assorted other privacy rapists ... "

Re:

[Aighearach]

Thanks for making my point for me!

No, you fucking dumb asshole, what you said was:

Back before Firefox broke its entire plug-in ecosystem

Which I refuted. Refuting your idiotic comment does "make [your] point."

Fucking neckbeards, I swear.

Re:

[thomst]

To my response:

Thanks for making my point for me!

Aighearach raged:

No, you fucking dumb asshole, what you said was:

Back before Firefox broke its entire plug-in ecosystem

Which I refuted. Refuting your idiotic comment does "make [your] point."

Fucking neckbeards, I swear.

I was talking about NoScript. You responded with a comment about uMatrix, which I don't use (and am uninterested in installing, just so I can confirm whether it is or is not actually capable of completely disabling cross-site scripting), and so cannot knowledgeably comment on. But they are not the same plug-in, so you're talking about Granny Smiths, while I'm commenting on Fujis.

However, the point of my thanking you for making my case for me is not about the architectural cha

Re:

[Aighearach]

You didn't need to write all that. You didn't comprehend what I said. Why write all that stupid shit? Re-read it, find what you missed, done.

Fucking neckbeards, can't comprehend a response.

You're irked; therefore nothing. Therefore you're irked. Get over it. The extensions to control JS still work fire. The more powerful, more complete extensions than the shitty one you use still work fine. So your whiny concerns are misplaced.

Shave your neck and visit the surface.

Fuck 'em.

[Gravis Zero]

Honestly, alert() and confirm() popups need to be eliminated entirely. I also, don't give two hoots about what some shitty IRC engineer thinks.
Want to have an integrated experience with control over the platform? DON'T WRITE YOUR APPLICATION IN JAVASCRIPT.

Re:

[Oligonicella]

Aside from displaying your pique, you've essentially said nothing.

Re:

[WaffleMonster]

Honestly, alert() and confirm() popups need to be eliminated entirely.

Why?

Want to have an integrated experience with control over the platform? DON'T WRITE YOUR APPLICATION IN JAVASCRIPT.

Or perhaps the better question might be ...how much additional javascript will be required to provide functional equivalents?

Re: Fuck 'em.

[IdanceNmyCar]

I don't know, pretty much any of the billions of frameworks JS devs already include.

Re:

[angel'o'sphere]

DON'T WRITE YOUR APPLICATION IN JAVASCRIPT.
And how should that utterly stupid idea work?

There is hardly any other cross browser language.

The only other option are web frameworks like Vaadin (https://vaadin.com/), where only a minimal "rendering stub" is on the client side and all the UI is written in a desktop like style and executed on the server.

Re:

[Gravis Zero]

Here's an idea genius, don't write your program to run in a browser.

Re:

[thegarbz]

Here's an idea genius, don't write your program to run in a browser.

Here's a better idea, write your program to run in a browser so we can effortlessly use it cross platform with depending on you to individually support and test every platform.

I don't often agree with angel'o'sphere, but he's right on point here. Your fantasy of wanting to go back to platform specific code for applications that are largely web facing and therefore largely require cross platform compatibility is a fucking feverdream gone wrong. No one pines for the shitty incompatibilities of the past, and t

Would navigation and form submission work?

[tepples]

Your fantasy of wanting to go back to platform specific code for applications that are largely web facing and therefore largely require cross platform compatibility is a fucking feverdream gone wrong.

Other users with the "never script in the browser" fantasy have explained two options to me in the past:

A. Write the application to be fully functional with only navigation and form submission. Lightweight HTML and cached resources make full page reloads less painful. Pagination instead of infinite scrolling. Optionally add script later for convenience. Circa 2009, I developed a web shop using this paradigm, and it ran much faster than 3dCart even on an entry-level VPS and older client devices. The biggest

Re:

[angel'o'sphere]

There are basically 4 kinds of software. (If you want to nitpick you surely find more).
a) embedded software controlling a device (you basically do not interact with it, or only in a remote sense as in pushing a button on a micro wave or washing machine, or hitting the brake in your car)
b) desktop applications, like the browser I'm suing to type this, or my IDE I use to write software
c) software that a company uses to run their own business - e.g. calculating a complex market situation to make an offer to a

Re:

[EkriirkE]

On one hand Iove alert for debugging. On the other I can't recall when I've seen one used in the wild for some time, when DOM equivalents are trivial to code (and have long been replaced as such for inline warnings)

Um

[cascadingstylesheet]

One of Google's Chrome engineers explained on Twitter that "Major browser vendors are generally aligned about wanting to move the platform away from alert() and friends, even though it will unfortunately involve some breakage...

"alert() and friends" are supposed to be bog standard, simple, safe, cross-browser ways to communicate with the user. Their limited functionality is a feature, not a bug.

Re:

[93 Escort Wagon]

I somewhat agree with you, but - I have a hard time seeing what legitimate use a third-party script could have for either alert() or confirm().

I must admit, though, I prefer blocking all third-party scripts by default, and then whitelisting any sites where I want to enable that functionality for whatever reason (offhand I can't think of any example sites where I've done that).

Re:

[Hydrian]

I agree, that the alert() and friends should be around even in CORS. What there should be is permissions to lets 1st party server admins to limit what the 3rd party content can do in their site's name. Without using a reverse proxy, which most ad network would forbid, there is no easy way to limit what they show on your webpage unless the ad network LETS you have some way to filter it.

Ads without network

[tepples]

Then don't use an ad network. Let advertisers upload creative to a form on your website, pay for a placement, and specify a week in which to run the ad. Then you review the creative and approve the placement. It works for Daring Fireball [daringfireball.net].

Re:

[Tony Isaac]

No, alert() and confirm() need to go away forever. People don't read these, they just click whatever it takes to make them go away. Worse, they are intrusive and a terrible UI mechanism. The Web would be a better place without them.

"Major browser vendors"

[MatthiasF]

"Major browser vendors are generally aligned about wanting to move the platform away from alert() and friends, even though it will unfortunately involve some breakage..."

There are three browsers left, Google Chrome and it's derivatives being the overall monopoly, so did they actually discuss this openly with all browser developers or only Chromium developers or only Google employees or what?

This is why everyone running on a library created by a monopoly is a bad idea.

Google is already use to dominating ever

Obligatory

[Saffaya]

"I am altering the deal. Pray that I don't alter it further..."

As an end-user

[istartedi]

As an end-user of the web, I would not miss alert() and friends (more like accomplices) at all. At least, I wouldn't miss them as enabled defaults. If your web site is something I frequently use and trust and pop-ups actually make sense then you can let me know that in the intro and I can decide if it's worth allowing. Problem solved.

And yes, as another poster opined, I wouldn't miss it in Windows or any other OS either. "I want to freeze my mouse pointer because of an update alert while playing an onli

Re:

[WaffleMonster]

As an end-user of the web, I would not miss alert() and friends (more like accomplices) at all.

Why?

And yes, as another poster opined, I wouldn't miss it in Windows or any other OS either. "I want to freeze my mouse pointer because of an update alert while playing an online game" --Nobody Ever.

This analogy makes no sense because alert() does not cross window/application boundaries. The alert window is generated and displayed within the same application/window.

What the issue is here is more like starting an online game that requires an update and suppressing the alert message that tells you that you need to update before the game will connect to server... resulting in you sitting there wondering WTF is going on and why you can't connect to the server to play.

Your story reminds me of old histo

why NOT to use âoemodernâ frameworks

[cjonslashdot]

Yet another example of why not to use âoemodernâ Javascript frameworks. Unless you are building an actual browser-based app, use style sheets, and use lightweight call-centric libraries when you need them. Donâ(TM)t use the bloated frameworks that use Javascript just to display a page.