Should the spec require the page-specified onbeforeunload message not be used?

[avidrissman]

In its onbeforeunload function, a page specifies specify a string to be shown in the prompt. According to the spec in step 7:

The prompt shown by the user agent may include the string of the returnValue attribute, optionally truncated.

The majority of browsers take advantage of the word "may" in that step and do not include the page's string in that prompt:

• Firefox does not do so, and hasn't since Firefox 4. As they say in the relevant bug, they removed that ability as it was a security issue.
• Safari does not do so starting with version 9.1. They too consider this a security fix for the vulnerability that was assigned CVE-2009-2197 and noted in their release notes.
• Chrome and Opera have stopped doing so as of Chrome 51 and Opera 38. As with the other vendors, we consider using page-supplied text in a privileged-appearing dialog as a security fix.

Is it appropriate for the spec to follow the behavior of the browsers here?

[domenic]

I agree that we should update the spec to not process the string at all. If the majority of browsers agree that omitting the string is a security fix, the spec should not suggest an insecure path. I can work on a patch for this next week (although PRs are welcome in the meantime).

/cc @travisleithead @DigiTec as an FYI, since this would make Edge have non-standard behavior.