← Back to release summary

Permissions-Policy: unload

Category

Miscellaneous

Type

New or changed feature

Status

Enabled by default (Chrome 115)

Intent stage

Prepare to ship

Summary

This feature allows pages to disable the running of unload event handlers. The goals are: - allow sites that have removed all unload handlers to not regress (i.e. accidentally adding new ones) - allow sites to “remove” (skip) unload handlers (e.g. if updating the code is infeasible, or if they have nondeterministic chains of third parties and would rather not risk the BFCache benefits over unload handlers in third party code). Unload event handlers are problematic for various reasons and prevent use of BFCache on Desktop (see https://web.dev/bfcache/#never-use-the-unload-event). This is the first step to deprecating and removing unload handlers.

Motivation

Help sites migrate off unload event handlers and thereby improve BFCache hit-rate: - by ensuring that once removed, handlers do not creep back in - by providing a means to disable handlers in 3rd party iframes and script that is hard to change

Standards & signals

• Specification: https://github.com/whatwg/html/pull/7915
• Firefox: Negative — FF objects to this similar to sync-xhr and document-domain providing a way to cause cross-origin interference with script. Explainer addresses this (https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md#concerns-about-giving-embedders-control-over-the-nonexecution-of-iframe-code) At a recent TPAC meeting with Mozilla people present, no negative feedback was received. Request for formal position is here https://github.com/mozilla/standards-positions/issues/691
• Safari: Closed Without a Position — Concerned that embedders gain a way to turn off a code-path in the embedded frame.
• Web developers: Positive — Private discussions with devs are positive. Sites that have made efforts to remove all unload handlers want to use this to prevent accidental returns. Also some providers of 3rd-party iframes which have content outside of their control (e.g. ad network) want to guarantee themselves to be unload-free. https://github.com/w3c/webappsec-permissions-policy/issues/444#issuecomment-1130401722 Also positive feedback about using this to deny unload as a source of security problems. https://github.com/w3c/webappsec-permissions-policy/issues/444#issuecomment-1222973324
• Tracking bug: https://crbug.com/1324111

Docs: https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md

Explainers: https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md

View on chromestatus.com