from a while backhttps://www.admonsters.com/can-sandboxing-defeat-redirects/ …
-
-
Replying to @BRIAN_____ @acfou and
Good bug.
@bz_moz seemed grumpy though. I still find Firefox's popup blocker best, re: user activation discernment.1 reply 0 retweets 1 like -
Replying to @BrendanEich @BRIAN_____ and
Not grumpy, just concerned about specs that basically say "do something" and in practice that means reverse-engineering what Chrome does. Especially when what Chrome does is not great...
1 reply 0 retweets 5 likes -
Replying to @really_bz @BrendanEich and
Though in the case of the user activation v2 documents, they at least aim to explicitly write down what it is Chrome does. Which is still not great (as I said on blink-dev the last time there was a discussion on it, what it does is probably not OK for full-screen for Gecko).
1 reply 0 retweets 1 like -
Replying to @really_bz @bz_moz and
Is the cause of divergence between Chrome and Firefox on user-activated easy to summarize? In old days when
@jstenback and I hacked on it, we used stack discipline (in heap of course, can’t look up stack in C++) to notice user event started control flow (vs timeout or network).2 replies 0 retweets 1 like -
Replying to @BrendanEich @BRIAN_____ and
Pure stack doesn't quite work because people want to pass user activation across setTimeout/promise/postMessage. That's true in both Firefox and Chrome. Divergence is largely in whether activations "time out". If I click and 2min later the page goes fullscreen, is that ok?
1 reply 0 retweets 1 like -
Replying to @really_bz @bz_moz and
"Back in my day" (before promises, before the Empire), we cast a colder eye on setTimeout :-|. The Causeway work may be helpful, given promises: http://erights.org/elang/tools/causeway/index.html …. Is there any chain of custody among activations? Timing out seems a good idea too, but by itself not enough.
1 reply 1 retweet 1 like -
Replying to @BrendanEich @BRIAN_____ and
I think people really want to do work async, so we do need a way to propagate activation across async things, but not indefinitely... I think Chrome's model is basically that you store a "had activation" state on the global, which can be consumed if something needs an activation
2 replies 1 retweet 2 likes -
Replying to @really_bz @bz_moz and
We actually have many different definitions of user-initiated iirc. For some events (e.g. clipboard writes), we require the event to be on the stack, while for stuff like popup blocking it's much more complex.
1 reply 0 retweets 0 likes
Right, I think ours is _too_ complex. We should be able to simplify some.
-
-
Replying to @really_bz @bz_moz and
Oh, for sure! Our setup is definitely too complex. I didn't want to misrepresent our setup as being cleaner than it actually is :-P
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.