Hacker News new | ask | show | jobs
by pgo 1773 days ago
No, this is about alerts from cross origin content, like from an iframe that loads from a different origin than the parent page
2 comments
vasachi 1773 days ago
Google is planning to remove alerts entirely: https://twitter.com/Rich_Harris/status/1422930436850860033
link
Semaphor 1773 days ago
Direct source:

> Major browser vendors are generally aligned about wanting to move the platform away from alert() and friends, even though it will unfortunately involve some breakage.

- https://twitter.com/estark37/status/1422694855390629893

That at least doesn’t seem like any kind of near-future thing.

I just hope there’ll be some replacement, we use confirm() to prevents users from losing changes that weren’t saved (just like many other sites including fastmail and google)

link
ceronman 1773 days ago
It would still break sites like codepen.io that use iframes for this.
link
gregoriol 1773 days ago
codepen's iframes are their own, not cross-origin
link
mcintyre1994 1773 days ago
They're on another domain they own, but they are on another domain (cdpn.io) and the cross-origin concern does apply. They do that because they have auth cookies on codepen.io and don't want them exposed to the iframe.

See these tweets by their cofounder: https://twitter.com/chriscoyier/status/1422940724295786503?s... and https://twitter.com/chriscoyier/status/1420033471376920578?s...

link
asddubs 1773 days ago
if they were on the same domain you could load iframes with the parent site and do arbitrary CSRF
link