New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I2I: amp-form: Initialize form from URL #24876
Comments
Does applying the URL values trigger change events on the inputs that can be reacted to via amp-bind/amp-script? |
@cramforce Yes. See PR #24671 . If any form input is updated the following event is fired:
One of the TODO items on that PR is "Verify it is sufficient to fire one amp form update event at the end of form initialization instead of one per input updated". I'm still not sure that this change is significant enough to warrant a full design document, but I'm at least familiarizing myself with the expectations and can write one if it would help answer questions like these. |
I'm worried that this leads to jumping on page load. |
Yea, changing input values is ok as long as they don't affect size or position. But anything that can cause content jumping must not be allowed. This is also probably the wrong usage of Re: the Something like: <amp-state data-amp-replace="QUERY_PARAM" id=local_data>
{
"foo": "QUERY_PARAM(q)"
}
</amp-state>
<amp-list src="amp://local_data">
<template type=amp-mustache>
<input value="{{foo}}">
</template>
</amp-list> Probably needs more thought to discourage excessive client-side rendering. |
Just saw your PR. A targeted, form-specific feature seems simpler and reasonable too. Though we need to watch out for content jumping due to CSS selectors like |
Thanks for your input @choumx . Interesting, I intentionally used I appreciate the idea in your |
cc @ampproject/wg-ui-and-a11y and @caroqliu |
@ampproject/wg-caching What are the considerations regarding query params leaking to forms? Is this a security concern here? |
Interesting, I don't think I'm knowledgeable enough to answer that fully. Do components have access to the URL already? IOW, does this change give components access to data it doesn't already have? It seems from the design review that there is concern that it should be given a security review. |
@honeybadgerdontcare Others may be able to provide additional details, but I believe this summarizes the discussion from the design review: Components have had access to certain parameters in the URL for quite a while thanks to variable substitutions:
Where a security review could be warranted is that the suggested implementation |
@mattwomple could we require a specific prefix for these query parameters, e.g. |
@honeybadgerdontcare I suppose I'm not sure who this benefits.
|
Perhaps I misunderstand the implementation here. I was under the impression that there may be URL query parameters (on the original document) that shouldn't be accessible to components. For example a unique id for analytics but shouldn't be shared to form fields that could be sent to another server. By using an explicit prefix then those query parameters are stating they know they may be accessed by components such as |
Ah, sure, good example. Then yes, either whitelisting or blacklisting individual fields would be worthwhile! |
One question I had: Should this be turned on on the AMP Cache at all? |
It's reasonable to suggest that this feature doesn't need to work when pages are served from the AMP cache. No publisher is going to want to share a link like |
Follow-up to Design Review 2019-10-23 (#24591) and other comments
The example page included in PR #24671 has been updated to match these design considerations. Direct link to sample page using pr-deploy-bot. Notably, it shows some sample layout hacking on page load that could be (ab)used if this feature is accepted. |
|
Well, remember that desktop computers are still a thing, so that's a reasonable market share that depends on indexing without caring about AMP caches. And if you live in my fantasy world where signed exchanges will – in reasonable time? – have widespread support, then the AMP cache concern becomes moot; the amp page is no longer tied to the search domain.
The approach I've taken in PR #24671 is to bail out if a proxy (cache) origin is detected:
The stakes are lower here since we're only talking about client-side programming. The only real concern is "can a user submit a form without knowing what they are submitting?" I argue that this is already possible today, and in AMP. Drop an Similarly, there already exists a feature in AMP to populate hidden inputs just before form submission; see amp-form: Variable Substitutions. Outside of AMP, this same feature can be accomplished with a few lines of JavaScript (error handling omitted for brevity):
So, I really don't think we're letting any new dragons loose with this feature request. |
Fair enough. I'd still argue it'd be useful to support this on cache so that mobile in-viewer results are displayed the same as on-origin, but if folks are concerned about the safety of running this feature on-cache, I would just make sure we document this limitation.
I think your statement of the concern is correct. (In the extreme case, the publisher may style the submit button to look like a link, and the user may not think they are submitting anything.) Agreed it's already possible (maybe with amp-script, too?), but I think it's worth designing what's easy/hard, since people will mostly do what's easy. It sounds like you're saying we can defer security countermeasures until the server-side, since that's where the potentially dangerous effect actually takes place. I can see that argument, but also an argument for defense-in-depth when it's possible and doesn't hurt DX too much. Looking at Rails' response to its own high-profile mass assignment vulnerabilities, I see three things:
Regarding whitelisting/blacklisting, I guess there are several ways to go. I'll throw out my strawman but I'm not tied too strongly to it:
(Sorry if I'm retreading old ground! I came to this thread late.) |
Thanks @twifkak, all of your comments are appreciated. I believe the field whitelisting performed in PR #24671 satisfies the bulk of your whitelisting-related suggestions: each field must have attribute I understand this thread and that PR have seen plenty of comments and code changes, so I'll work on adding documentation to the PR soon. Then, everyone can verify the implementation matches the design goals. Thanks for your patience. |
Ah, yes, I agree. I hadn't read the PR. Thanks! |
PR #24671 now includes unit tests and documentation. It has been moved out of draft status. Reviews appreciated! pr-deploy-bot sample |
👏 |
Summary
Introduce
amp-form
attributeinitialize-from-url
to populate form inputson page load from URL query parameter values.
Feature request (#24533) and work-in-progress pull request (#24671) already exist, but it was suggested this is significant enough of a change to warrant an I2I.
Design document
(none)
Motivation
When a user navigates to a search results URL like
/search?q=my+search
, it is typically expected that the search text input on the page is populated with the search term, in this casemy search
. It is already possible to populate an<amp-list>
via query parameters thanks to AMP variable substitution withQUERY_PARAM
, so it would be great if AMP allowed setting default values of form inputs by checking the URL. For example, if new<amp-form>
attributeinitialize-from-url
existed, then inputs under the form could have their default value set from the URL GET parameters.Alternatives considered
It is possible output each form input using
amp-list
. Thevalue
attributes of inputs can then be set with mustache, e.g.<input name="search" type="text" value="{{search}}">
. This requires a special endpoint created to echo back query parameters. Example:https://ampsupport.wompmobile.com/echoquery/dictionaryformat?q=QUERY_PARAM(q)
. This has obvious disadvantages:placeholder
andfallback
inamp-list
cannot contain the same input or else the form risks having multiple inputs with the samename
attribute (they are all in the DOM even if they are not all visible)Additional context
Minimal example with
<amp-list>
workaround incorporated:android.cmphys.com/temp/amp-form-ex.html?q=my+search
Worth noting, the reason the inputs are initialized to
my+search
is due to bug #24534 which has PR #24626 waiting for review./cc @ampproject/wg-approvers @caroqliu
The text was updated successfully, but these errors were encountered: