Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-do close watcher user activation tracking #10168

Merged
merged 4 commits into from
Mar 14, 2024
Merged

Conversation

domenic
Copy link
Member

@domenic domenic commented Feb 28, 2024

As noted in #10046, the close watcher anti-abuse measures were overly strict, and would prevent firing the cancel event even when the close watcher was created with user interaction.

Additionally, the "is grouped with previous" infrastructure used to track close watcher groups was buggy, since close watchers could be destroyed and this would cause groups to spuriously collapse.

To fix both of these problems, we re-do the close watcher anti-abuse protections. We now track the groups as a list-of-lists, and explicitly track how many groups should be allowed at a given time. We can then compare them when making decisions about whether to group a new close watcher, or whether to fire a cancel event.

Note that the initial fix proposed in #10046 (and implemented in #10048) is incorrect, as it allows indefinite trapping of the user.

Closes #10046.

(See WHATWG Working Mode: Changes for more details.)


/interaction.html ( diff )

As noted in #10046, the close watcher anti-abuse measures were overly strict, and would prevent firing the cancel event even when the close watcher was created with user interaction.

Additionally, the "is grouped with previous" infrastructure used to track close watcher groups was buggy, since close watchers could be destroyed and this would cause groups to spuriously collapse.

To fix both of these problems, we re-do the close watcher anti-abuse protections. We now track the groups as a list-of-lists, and explicitly track how many groups should be allowed at a given time. We can then compare them when making decisions about whether to group a new close watcher, or whether to fire a cancel event.

Note that the initial fix proposed in #10046 (and implemented in #10048) is incorrect, as it allows indefinite trapping of the user.

Closes #10046.
@domenic domenic added normative change topic: dialog The <dialog> element labels Feb 28, 2024
@domenic domenic requested a review from josepharhar February 28, 2024 06:22
@domenic domenic changed the title Re-do close watcher anti-abuse measures Re-do close watcher user activation tracking Feb 28, 2024
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Feb 28, 2024
Our previous approach for close watcher user activation tracking had
cases where we could  allow the cancel event to fire, but we were not
allowing it.

Fixing this is nontrivial. We need to more closely track the allowed
number of close watchers, and use it when making decisions about
creating ungrouped close watchers or firing cancel events. This allows
us to pass test cases like:

* A close watcher stack that is relatively empty compared to the amount
  of user activations so far, needs to allow cancel events.

* A close watcher stack that is full compared to the amount of user
  activations so far, needs to prevent cancel events.

Additionally, our previous mechanism of tracking groups by using
booleans on the close watchers was buggy when a close watcher was
destroyed. Instead, properly track the groups as a vector of vectors.

Spec PR: whatwg/html#10168

Bug: 1512224
Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
@lukewarlow
Copy link
Member

I've given this a read through and it all seems to make sense to me. I can't think of a way this can be abused to circumvent the protections.

Just to clarify this doesn't increase the total number of back gestures required to escape compared to the previous implementation? (In the case where the user doesn't interact with the page in the mean time)

@domenic
Copy link
Member Author

domenic commented Mar 4, 2024

Thanks so much for your review @lukewarlow!

Just to clarify this doesn't increase the total number of back gestures required to escape compared to the previous implementation? (In the case where the user doesn't interact with the page in the mean time)

Indeed. With much more test coverage now!

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Mar 4, 2024
Our previous approach for close watcher user activation tracking had
cases where we could  allow the cancel event to fire, but we were not
allowing it.

Fixing this is nontrivial. We need to more closely track the allowed
number of close watchers, and use it when making decisions about
creating ungrouped close watchers or firing cancel events. This allows
us to pass test cases like:

* A close watcher stack that is relatively empty compared to the amount
  of user activations so far, needs to allow cancel events.

* A close watcher stack that is full compared to the amount of user
  activations so far, needs to prevent cancel events.

Additionally, our previous mechanism of tracking groups by using
booleans on the close watchers was buggy when a close watcher was
destroyed. Instead, properly track the groups as a vector of vectors.

Spec PR: whatwg/html#10168

Bug: 1512224
Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
@domenic domenic requested a review from annevk March 4, 2024 07:15
aarongable pushed a commit to chromium/chromium that referenced this pull request Mar 5, 2024
Our previous approach for close watcher user activation tracking had
cases where we could  allow the cancel event to fire, but we were not
allowing it.

Fixing this is nontrivial. We need to more closely track the allowed
number of close watchers, and use it when making decisions about
creating ungrouped close watchers or firing cancel events. This allows
us to pass test cases like:

* A close watcher stack that is relatively empty compared to the amount
  of user activations so far, needs to allow cancel events.

* A close watcher stack that is full compared to the amount of user
  activations so far, needs to prevent cancel events.

Additionally, our previous mechanism of tracking groups by using
booleans on the close watchers was buggy when a close watcher was
destroyed. Instead, properly track the groups as a vector of vectors.

Spec PR: whatwg/html#10168

Bug: 1512224
Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387
Reviewed-by: Joey Arhar <[email protected]>
Commit-Queue: Domenic Denicola <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1268262}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Mar 5, 2024
Our previous approach for close watcher user activation tracking had
cases where we could  allow the cancel event to fire, but we were not
allowing it.

Fixing this is nontrivial. We need to more closely track the allowed
number of close watchers, and use it when making decisions about
creating ungrouped close watchers or firing cancel events. This allows
us to pass test cases like:

* A close watcher stack that is relatively empty compared to the amount
  of user activations so far, needs to allow cancel events.

* A close watcher stack that is full compared to the amount of user
  activations so far, needs to prevent cancel events.

Additionally, our previous mechanism of tracking groups by using
booleans on the close watchers was buggy when a close watcher was
destroyed. Instead, properly track the groups as a vector of vectors.

Spec PR: whatwg/html#10168

Bug: 1512224
Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387
Reviewed-by: Joey Arhar <[email protected]>
Commit-Queue: Domenic Denicola <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1268262}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Mar 5, 2024
Our previous approach for close watcher user activation tracking had
cases where we could  allow the cancel event to fire, but we were not
allowing it.

Fixing this is nontrivial. We need to more closely track the allowed
number of close watchers, and use it when making decisions about
creating ungrouped close watchers or firing cancel events. This allows
us to pass test cases like:

* A close watcher stack that is relatively empty compared to the amount
  of user activations so far, needs to allow cancel events.

* A close watcher stack that is full compared to the amount of user
  activations so far, needs to prevent cancel events.

Additionally, our previous mechanism of tracking groups by using
booleans on the close watchers was buggy when a close watcher was
destroyed. Instead, properly track the groups as a vector of vectors.

Spec PR: whatwg/html#10168

Bug: 1512224
Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387
Reviewed-by: Joey Arhar <[email protected]>
Commit-Queue: Domenic Denicola <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1268262}
@zcorpan zcorpan self-requested a review March 7, 2024 16:54
source Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Show resolved Hide resolved
@zcorpan
Copy link
Member

zcorpan commented Mar 8, 2024

The "groups" concept seems reasonable, and makes behavior similar to e.g. a fragment navigation for each user activation (adding a close watcher to the same group is like a "replace" navigation). Users can navigate back multiple steps in various browsers, which should also bypass close watchers IIUC.

If abuse becomes a significant problem, maybe browsers can heuristically detect user frustration (repeatedly trying to go back and groups.length > some number) and then close everything or navigate back?

source Outdated Show resolved Hide resolved
Copy link
Member Author

@domenic domenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "groups" concept seems reasonable, and makes behavior similar to e.g. a fragment navigation for each user activation (adding a close watcher to the same group is like a "replace" navigation).

I like this analogy!

Users can navigate back multiple steps in various browsers, which should also bypass close watchers IIUC.

Yep, exactly. It's just kind of a power-user feature, so we don't want to tell people that's their only recourse.

If abuse becomes a significant problem, maybe browsers can heuristically detect user frustration (repeatedly trying to go back and groups.length > some number) and then close everything or navigate back?

For sure, this is the bazooka we can always use. But it hurts web platform predictability a bit if we're not careful, so that's why I've spent a lot of time trying to put deterministic guardrails around this for the spec (and Chromium).

But, I did put in an optional "skip to the end" step as you suggested, since it's useful not only for anti-abuse, but also for other cases. In general I'm in favor of giving browsers more "may" options for browser UI interactions, so thanks for suggesting it.

source Outdated Show resolved Hide resolved
source Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Show resolved Hide resolved
@domenic domenic merged commit 335cf0c into main Mar 14, 2024
2 checks passed
@domenic domenic deleted the fix-close-watcher-stack branch March 14, 2024 05:52
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Mar 14, 2024
…king, a=testonly

Automatic update from web-platform-tests
Re-do close watcher user activation tracking

Our previous approach for close watcher user activation tracking had
cases where we could  allow the cancel event to fire, but we were not
allowing it.

Fixing this is nontrivial. We need to more closely track the allowed
number of close watchers, and use it when making decisions about
creating ungrouped close watchers or firing cancel events. This allows
us to pass test cases like:

* A close watcher stack that is relatively empty compared to the amount
  of user activations so far, needs to allow cancel events.

* A close watcher stack that is full compared to the amount of user
  activations so far, needs to prevent cancel events.

Additionally, our previous mechanism of tracking groups by using
booleans on the close watchers was buggy when a close watcher was
destroyed. Instead, properly track the groups as a vector of vectors.

Spec PR: whatwg/html#10168

Bug: 1512224
Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387
Reviewed-by: Joey Arhar <[email protected]>
Commit-Queue: Domenic Denicola <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1268262}

--

wpt-commits: 01412b25ebfd1f389961cb6f733073e7d0b14dba
wpt-pr: 44828
jamienicol pushed a commit to jamienicol/gecko that referenced this pull request Mar 17, 2024
…king, a=testonly

Automatic update from web-platform-tests
Re-do close watcher user activation tracking

Our previous approach for close watcher user activation tracking had
cases where we could  allow the cancel event to fire, but we were not
allowing it.

Fixing this is nontrivial. We need to more closely track the allowed
number of close watchers, and use it when making decisions about
creating ungrouped close watchers or firing cancel events. This allows
us to pass test cases like:

* A close watcher stack that is relatively empty compared to the amount
  of user activations so far, needs to allow cancel events.

* A close watcher stack that is full compared to the amount of user
  activations so far, needs to prevent cancel events.

Additionally, our previous mechanism of tracking groups by using
booleans on the close watchers was buggy when a close watcher was
destroyed. Instead, properly track the groups as a vector of vectors.

Spec PR: whatwg/html#10168

Bug: 1512224
Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387
Reviewed-by: Joey Arhar <[email protected]>
Commit-Queue: Domenic Denicola <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1268262}

--

wpt-commits: 01412b25ebfd1f389961cb6f733073e7d0b14dba
wpt-pr: 44828
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

Close watchers: history-action user activation is consumed even for the first close watcher
4 participants