Update trust levels for existing actions to spec #9954
Conversation
dreamofabear
force-pushed
the
trust-levels-final
branch
from
437c0f5
to
29e9eb8
Compare
|
/to @aghassemi @cvializ /cc @jridgewell @ericlindley-g |
|
Do we have a way to know how many pages in the wild this might break? |
| @@ -351,7 +350,7 @@ export class AmpForm { | |||
| event.preventDefault(); | |||
| } | |||
| // Submits caused by user input have high trust. | |||
| this.submit_(ActionTrust.MEDIUM); // TODO(choumx, #9699): HIGH. | |||
| this.submit_(ActionTrust.HIGH); | |||
| </tr> | ||
| <tr> | ||
| <td>play</td> | ||
| <td>Plays the video.</td> | ||
| <td>High</td> |
There was a problem hiding this comment.
This should be High only if video is unmuted. Muted videos should be playable with Low, could you create an issue and assign to me?
| @@ -351,7 +350,7 @@ export class AmpForm { | |||
| event.preventDefault(); | |||
| } | |||
| // Submits caused by user input have high trust. | |||
| this.submit_(ActionTrust.MEDIUM); // TODO(choumx, #9699): HIGH. | |||
| this.submit_(ActionTrust.HIGH); | |||
| </tr> | ||
| <tr> | ||
| <td>play</td> | ||
| <td>Plays the video.</td> | ||
| <td>High</td> |
| this.action_.trigger(this.element, name, selectEvent, | ||
| ActionTrust.MEDIUM); |
There was a problem hiding this comment.
@choumx What does this mean for selector?
| this.action_.trigger(this.element, name, selectEvent, | ||
| ActionTrust.MEDIUM); | ||
| ActionTrust.HIGH); |
There was a problem hiding this comment.
Would this not prevent slides from being in sync with selector via bind?
There was a problem hiding this comment.
It wouldn't since high trust events can do everything that medium trust events can.
|
Just to double-check—was this taken through design review with these specific levels? |
|
@ericlindley-g No, only in this PR with relevant parties. Any concerns? It's a small PR so we can easily undo and review next week if you'd like. |
|
Thanks for the quick response, @choumx — non-urgent, so feel free to ignore until the week officially starts :) I agree that the risk appears very low that we would break anyone in production with this (using medium-trust events to trigger these more disruptive actions in general would be strange). Would it make sense, process-wise, to run this through review next week, and only undo the merge if there are significant issues that come up? As a side note: one reasonable implementation AMP may want to allow that would be restricted by this PR is playing or un-muting videos using checkboxes or radio buttons—though it's still a bit of an edge case. That's something we could either update the PR to allow now, or just think through it later on request, and see if it makes sense to open up. Would it be easy to make a targeted cookbook query just to make sure we're not breaking folks in production who might have already done these? And is there validation in place that will also make pages that misuse these trust levels invalid, or does misuse just disable the interaction and a user-error is surfaced in the developer console? |
|
@choumx @ericlindley-g Ability to unmute based on checkbox seems important. I suggest we do a blanket rule that if |
|
@aghassemi What events fall in the category of "isTrusted == true"? I may not understand the significance of "isTrusted", but it seems like there would be events that the runtime trusts come from the user, but wouldn't want to trigger highly disruptive actions. |
|
I used it normally so far error.js:151 Trust for 'submit' (2) insufficient (min: 3). |
|
@MrSeanpull Thanks for reporting this. Per our discussion in design review, we'll rollback this change and review a way forward in #10166. |
Fixes #9699.
Note that this will remove functionality by requiring high trust for some actions. Specifically, the actions:
AMP.goBack<video>.playand<video>.unmute<form>.submit...can no longer be triggered by the following medium-trust events:
change(except from<select>)slideChangesubmit-success,submit-errorinput-debouncedWe don't have any low trust events yet, so actions that require low trust have no effective change.
See this spreadsheet for the canonical trust spec.