Re-do close watcher user activation tracking #10168
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As noted in #10046, the close watcher anti-abuse measures were overly strict, and would prevent firing the cancel event even when the close watcher was created with user interaction. Additionally, the "is grouped with previous" infrastructure used to track close watcher groups was buggy, since close watchers could be destroyed and this would cause groups to spuriously collapse. To fix both of these problems, we re-do the close watcher anti-abuse protections. We now track the groups as a list-of-lists, and explicitly track how many groups should be allowed at a given time. We can then compare them when making decisions about whether to group a new close watcher, or whether to fire a cancel event. Note that the initial fix proposed in #10046 (and implemented in #10048) is incorrect, as it allows indefinite trapping of the user. Closes #10046.
5 tasks
domenic
changed the title
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Feb 28, 2024
Our previous approach for close watcher user activation tracking had cases where we could allow the cancel event to fire, but we were not allowing it. Fixing this is nontrivial. We need to more closely track the allowed number of close watchers, and use it when making decisions about creating ungrouped close watchers or firing cancel events. This allows us to pass test cases like: * A close watcher stack that is relatively empty compared to the amount of user activations so far, needs to allow cancel events. * A close watcher stack that is full compared to the amount of user activations so far, needs to prevent cancel events. Additionally, our previous mechanism of tracking groups by using booleans on the close watchers was buggy when a close watcher was destroyed. Instead, properly track the groups as a vector of vectors. Spec PR: whatwg/html#10168 Bug: 1512224 Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
|
I've given this a read through and it all seems to make sense to me. I can't think of a way this can be abused to circumvent the protections. Just to clarify this doesn't increase the total number of back gestures required to escape compared to the previous implementation? (In the case where the user doesn't interact with the page in the mean time) |
|
Thanks so much for your review @lukewarlow!
Indeed. With much more test coverage now! |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 4, 2024
Our previous approach for close watcher user activation tracking had cases where we could allow the cancel event to fire, but we were not allowing it. Fixing this is nontrivial. We need to more closely track the allowed number of close watchers, and use it when making decisions about creating ungrouped close watchers or firing cancel events. This allows us to pass test cases like: * A close watcher stack that is relatively empty compared to the amount of user activations so far, needs to allow cancel events. * A close watcher stack that is full compared to the amount of user activations so far, needs to prevent cancel events. Additionally, our previous mechanism of tracking groups by using booleans on the close watchers was buggy when a close watcher was destroyed. Instead, properly track the groups as a vector of vectors. Spec PR: whatwg/html#10168 Bug: 1512224 Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Mar 5, 2024
Our previous approach for close watcher user activation tracking had cases where we could allow the cancel event to fire, but we were not allowing it. Fixing this is nontrivial. We need to more closely track the allowed number of close watchers, and use it when making decisions about creating ungrouped close watchers or firing cancel events. This allows us to pass test cases like: * A close watcher stack that is relatively empty compared to the amount of user activations so far, needs to allow cancel events. * A close watcher stack that is full compared to the amount of user activations so far, needs to prevent cancel events. Additionally, our previous mechanism of tracking groups by using booleans on the close watchers was buggy when a close watcher was destroyed. Instead, properly track the groups as a vector of vectors. Spec PR: whatwg/html#10168 Bug: 1512224 Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387 Reviewed-by: Joey Arhar <[email protected]> Commit-Queue: Domenic Denicola <[email protected]> Cr-Commit-Position: refs/heads/main@{#1268262}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 5, 2024
Our previous approach for close watcher user activation tracking had cases where we could allow the cancel event to fire, but we were not allowing it. Fixing this is nontrivial. We need to more closely track the allowed number of close watchers, and use it when making decisions about creating ungrouped close watchers or firing cancel events. This allows us to pass test cases like: * A close watcher stack that is relatively empty compared to the amount of user activations so far, needs to allow cancel events. * A close watcher stack that is full compared to the amount of user activations so far, needs to prevent cancel events. Additionally, our previous mechanism of tracking groups by using booleans on the close watchers was buggy when a close watcher was destroyed. Instead, properly track the groups as a vector of vectors. Spec PR: whatwg/html#10168 Bug: 1512224 Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387 Reviewed-by: Joey Arhar <[email protected]> Commit-Queue: Domenic Denicola <[email protected]> Cr-Commit-Position: refs/heads/main@{#1268262}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 5, 2024
Our previous approach for close watcher user activation tracking had cases where we could allow the cancel event to fire, but we were not allowing it. Fixing this is nontrivial. We need to more closely track the allowed number of close watchers, and use it when making decisions about creating ungrouped close watchers or firing cancel events. This allows us to pass test cases like: * A close watcher stack that is relatively empty compared to the amount of user activations so far, needs to allow cancel events. * A close watcher stack that is full compared to the amount of user activations so far, needs to prevent cancel events. Additionally, our previous mechanism of tracking groups by using booleans on the close watchers was buggy when a close watcher was destroyed. Instead, properly track the groups as a vector of vectors. Spec PR: whatwg/html#10168 Bug: 1512224 Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387 Reviewed-by: Joey Arhar <[email protected]> Commit-Queue: Domenic Denicola <[email protected]> Cr-Commit-Position: refs/heads/main@{#1268262}
domfarolino
reviewed
Mar 8, 2024
|
The "groups" concept seems reasonable, and makes behavior similar to e.g. a fragment navigation for each user activation (adding a close watcher to the same group is like a "replace" navigation). Users can navigate back multiple steps in various browsers, which should also bypass close watchers IIUC. If abuse becomes a significant problem, maybe browsers can heuristically detect user frustration (repeatedly trying to go back and groups.length > some number) and then close everything or navigate back? |
zcorpan
reviewed
Mar 8, 2024
domenic
commented
Mar 11, 2024
There was a problem hiding this comment.
The "groups" concept seems reasonable, and makes behavior similar to e.g. a fragment navigation for each user activation (adding a close watcher to the same group is like a "replace" navigation).
I like this analogy!
Users can navigate back multiple steps in various browsers, which should also bypass close watchers IIUC.
Yep, exactly. It's just kind of a power-user feature, so we don't want to tell people that's their only recourse.
If abuse becomes a significant problem, maybe browsers can heuristically detect user frustration (repeatedly trying to go back and groups.length > some number) and then close everything or navigate back?
For sure, this is the bazooka we can always use. But it hurts web platform predictability a bit if we're not careful, so that's why I've spent a lot of time trying to put deterministic guardrails around this for the spec (and Chromium).
But, I did put in an optional "skip to the end" step as you suggested, since it's useful not only for anti-abuse, but also for other cases. In general I'm in favor of giving browsers more "may" options for browser UI interactions, so thanks for suggesting it.
zcorpan
approved these changes
Mar 13, 2024
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Mar 14, 2024
…king, a=testonly Automatic update from web-platform-tests Re-do close watcher user activation tracking Our previous approach for close watcher user activation tracking had cases where we could allow the cancel event to fire, but we were not allowing it. Fixing this is nontrivial. We need to more closely track the allowed number of close watchers, and use it when making decisions about creating ungrouped close watchers or firing cancel events. This allows us to pass test cases like: * A close watcher stack that is relatively empty compared to the amount of user activations so far, needs to allow cancel events. * A close watcher stack that is full compared to the amount of user activations so far, needs to prevent cancel events. Additionally, our previous mechanism of tracking groups by using booleans on the close watchers was buggy when a close watcher was destroyed. Instead, properly track the groups as a vector of vectors. Spec PR: whatwg/html#10168 Bug: 1512224 Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387 Reviewed-by: Joey Arhar <[email protected]> Commit-Queue: Domenic Denicola <[email protected]> Cr-Commit-Position: refs/heads/main@{#1268262} -- wpt-commits: 01412b25ebfd1f389961cb6f733073e7d0b14dba wpt-pr: 44828
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this pull request
Mar 17, 2024
…king, a=testonly Automatic update from web-platform-tests Re-do close watcher user activation tracking Our previous approach for close watcher user activation tracking had cases where we could allow the cancel event to fire, but we were not allowing it. Fixing this is nontrivial. We need to more closely track the allowed number of close watchers, and use it when making decisions about creating ungrouped close watchers or firing cancel events. This allows us to pass test cases like: * A close watcher stack that is relatively empty compared to the amount of user activations so far, needs to allow cancel events. * A close watcher stack that is full compared to the amount of user activations so far, needs to prevent cancel events. Additionally, our previous mechanism of tracking groups by using booleans on the close watchers was buggy when a close watcher was destroyed. Instead, properly track the groups as a vector of vectors. Spec PR: whatwg/html#10168 Bug: 1512224 Change-Id: I6d7ccdc27c69f457455f517dcdbcc71d615b4290 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5232387 Reviewed-by: Joey Arhar <[email protected]> Commit-Queue: Domenic Denicola <[email protected]> Cr-Commit-Position: refs/heads/main@{#1268262} -- wpt-commits: 01412b25ebfd1f389961cb6f733073e7d0b14dba wpt-pr: 44828
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As noted in #10046, the close watcher anti-abuse measures were overly strict, and would prevent firing the cancel event even when the close watcher was created with user interaction.
Additionally, the "is grouped with previous" infrastructure used to track close watcher groups was buggy, since close watchers could be destroyed and this would cause groups to spuriously collapse.
To fix both of these problems, we re-do the close watcher anti-abuse protections. We now track the groups as a list-of-lists, and explicitly track how many groups should be allowed at a given time. We can then compare them when making decisions about whether to group a new close watcher, or whether to fire a cancel event.
Note that the initial fix proposed in #10046 (and implemented in #10048) is incorrect, as it allows indefinite trapping of the user.
Closes #10046.
(See WHATWG Working Mode: Changes for more details.)
/interaction.html ( diff )