Permissions-Policy: Unload

[fergald]

Introduction

We (chromium) would like to propose an unload permissions policy to help sites migrate away from use of unload handlers. TL;DR this header allows disabling firing the unload event on frames and subframes.

This was previously discussed in

• Proposal: Disallow running unload handlers document-policy#39
• Permissions Policy unload w3c/webappsec-permissions-policy#444

The main motivation for this is that they are a large blocker of BFCache on desktop, they are a footgun (often don't fire on mobile) and in general there are better alternatives for (hopefully) all use cases.

We know that many sites are not in a position to use this header immediately, 3rd party iframes often use unload but this lets us make a start. We have reached out to some well-known iframe providers, asking them to remove their unloads. Once they do, they can guarantee remaining unload-free by shipping this header.Read the complete Explainer.

Feedback (Choose One)

Prior feedback is on w3c/webappsec-permissions-policy#444.

Please provide all feedback below.

[steffenweber]

Our website (https://www.computerbase.de/) is bfcache-eligible on pages without ads (e.g. on the imprint page or when using our paid version "ComputerBase Pro") but is not when ads are served because "the page has an unload handler in a sub frame (UnloadHandlerExistsInSubFrame)". With an "Unload" permissions policy we could experiment with taking this feature away from ads though to be honest I'm not sure what breakage that would cause.

[astralmaster]

That would be a great feature. Web server administrators should have the option to disallow unload events, especially when they originate from 3rd-party iframes. Sometimes you need to use external widgets/modules but that should not penalize your performance or functionality.