Thank you all!
On Fri, Apr 15, 2022 at 10:22 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > LGTM3 > > On Fri, Apr 15, 2022, 23:24 Chris Harrelson <chris...@chromium.org> wrote: > >> LGTM2 >> >> On Fri, Apr 15, 2022 at 2:20 PM Mason Freed <mas...@chromium.org> wrote: >> >>> >>> On Fri, Apr 15, 2022 at 2:17 PM Mike Taylor <miketa...@chromium.org> >>> wrote: >>> >>>> Fantastic - nice work on the compat analysis. LGTM. >>>> >>> >>> Thanks! >>> >>> >>>> On 4/15/22 5:02 PM, Mason Freed wrote: >>>> >>>> No problem! So here too, I think I have an answer for you. As part of >>>> the discussion around deprecating this functionality, I did exactly that: >>>> an HTTP Archive search for <object> containing <param>. See this >>>> comment >>>> <https://github.com/whatwg/html/issues/387#issuecomment-961271400>, >>>> which links to this spreadsheet >>>> <https://docs.google.com/spreadsheets/d/1Fo3F6IIOMFbXH116Y22950CSSksvuRLLwO3c5Kn8E90/edit?resourcekey=0-U-u5Uecsr9aK2S-CWSwPDg#gid=1743741361> >>>> with >>>> results. Also, importantly, see this reply comment >>>> <https://github.com/whatwg/html/issues/387#issuecomment-961362808> >>>> with more analysis. >>>> >>>> The TL;DR is that in the end, we did not find any issues with the top >>>> ~20 sites we found. And while we were looking only for PDF-related params, >>>> that's all that Chromium currently supports anyway, so that should be all >>>> we're capable of breaking. >>>> >>>> LMK if the above satisfies your desire to do more spot checking, or if >>>> you'd prefer I look deeper. >>>> >>>> Thanks, >>>> Mason >>>> >>>> >>>> On Fri, Apr 15, 2022 at 1:52 PM Mike Taylor <miketa...@chromium.org> >>>> wrote: >>>> >>>>> Oh cool, I didn't notice the fallback iframe or embed, thanks for >>>>> pointing that out! I think just to be on the safe side, searching HTTP >>>>> Archive for a list of sites that have an <object> with non-swf <param> >>>>> values would be nice to look at, and we could spot check a small pile to >>>>> ensure this fallback pattern holds and we're not breaking video playback >>>>> on >>>>> sites that may not be maintained. >>>>> >>>>> On 4/15/22 2:31 PM, Mason Freed wrote: >>>>> >>>>> Thanks for digging into the example sites there! So I looked further >>>>> into the two examples you gave, and I think what's actually going on in >>>>> both cases is that the <object> also contains fallback content which is >>>>> what you're seeing: >>>>> >>>>> For http://sextherapy.ru/, the full <object> looks like this: >>>>> >>>>> <object width="180" height="100" >>>>> classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" >>>>> codebase=" >>>>> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0 >>>>> "> >>>>> <param name="allowFullScreen" value="true" /> >>>>> <param name="allowscriptaccess" value="always" /> >>>>> <param name="src" value="// >>>>> www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0" /> >>>>> <param name="allowfullscreen" value="true" /> >>>>> <embed width="180" height="100" >>>>> type="application/x-shockwave-flash" >>>>> src="// >>>>> www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0" >>>>> allowFullScreen="true" allowscriptaccess="always" >>>>> allowfullscreen="true" /> >>>>> </object> >>>>> >>>>> The <param>s in this example aren't actually doing anything - you can >>>>> remove them and still see the video, since it's provided by the fallback >>>>> <embed>. It looks like those params were maybe meant to talk to an SWF >>>>> object? >>>>> >>>>> Similarly, for https://jackrussell.forumattivo.com/, the <object> is >>>>> this: >>>>> <object width="560" height="340"> >>>>> <param name="movie" value=" >>>>> https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&";></param> >>>>> <param name="allowFullScreen" value="true"></param> >>>>> <param name="allowscriptaccess" value="always"></param> >>>>> <iframe width="560" height="315" src=" >>>>> https://www.youtube.com/embed/_ikcScPyKUQ"; >>>>> frameborder="0" allowfullscreen=""></iframe> >>>>> </object> >>>>> >>>>> Again, the <param>s aren't doing anything here, and the fallback >>>>> <iframe> contains the "real" content. >>>>> >>>>> I also confirmed that with the proposed behavior disabled (i.e. >>>>> <param>s can't provide URLs), both example sites still work. >>>>> >>>>> I'm happy to look further into other such examples if you like, but I >>>>> think these two examples should be "ok". >>>>> >>>>> Again, thanks for taking a look! >>>>> >>>>> Thanks, >>>>> Mason >>>>> >>>>> >>>>> >>>>> On Fri, Apr 15, 2022 at 11:06 AM Mike Taylor <miketa...@chromium.org> >>>>> wrote: >>>>> >>>>>> On 4/13/22 12:48 PM, Mason Freed wrote: >>>>>> >>>>>> Contact emails mas...@chromium.org >>>>>> >>>>>> Explainer https://github.com/whatwg/html/pull/7816 >>>>>> https://github.com/whatwg/html/issues/6003 >>>>>> >>>>>> Specification https://github.com/whatwg/html/pull/7816 >>>>>> >>>>>> Summary >>>>>> >>>>>> The <param> element can be used to specify parameters such as a URL >>>>>> (via params named "movie", "src", "code", "data", or "url") to a >>>>>> containing >>>>>> <object> element. Given the removal of plugins from the web platform, and >>>>>> the relative lack of use of this particular functionality, we would like >>>>>> to >>>>>> deprecate and remove it. >>>>>> >>>>>> >>>>>> Blink component Blink >>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> >>>>>> >>>>>> Motivation >>>>>> >>>>>> Given that plugins are gone from the web platform (with their full >>>>>> removal from the spec being tracked in >>>>>> https://github.com/whatwg/html/issues/6003), it is not useful. In >>>>>> some browsers it can be used to figure out the URL of an <object>, even >>>>>> when that <object> is not being used for a plugin, via params named >>>>>> "movie", "src", "code", "data", or "url". But we decided to remove this >>>>>> behavior from browsers instead of specifying it. This retains the >>>>>> HTMLParamElement interface, as well as the parser behavior of <param>. >>>>>> >>>>>> >>>>>> Initial public proposal >>>>>> >>>>>> Search tags <param> >>>>>> <https://chromestatus.com/features#tags:%3Cparam%3E>, <object> >>>>>> <https://chromestatus.com/features#tags:%3Cobject%3E> >>>>>> >>>>>> TAG review >>>>>> >>>>>> TAG review status Not applicable >>>>>> >>>>>> Risks >>>>>> >>>>>> >>>>>> Interoperability and Compatibility >>>>>> >>>>>> Gecko: Shipped/Shipping ( >>>>>> https://github.com/whatwg/html/issues/387#issuecomment-1088331300) >>>>>> Issue was initially raised by Mozilla, and Gecko already does not process >>>>>> param at all. >>>>>> >>>>>> WebKit: No signal (https://bugs.webkit.org/show_bug.cgi?id=239188) >>>>>> No response on the bug yet. >>>>>> >>>>>> Web developers: No signals >>>>>> >>>>>> Other signals: >>>>>> >>>>>> Ergonomics >>>>>> >>>>>> Since this is a deprecation, there is a Web Compat risk. I added use >>>>>> counters for the situations that will be affected: - <param> that >>>>>> specifies >>>>>> a URL, inside an <object> that doesn't: 0.04%, >>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/4010 - >>>>>> As above, but URL successfully resolves to a (supported) PDF resource: >>>>>> 0.00002%, >>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/4110 - >>>>>> As above, but URL successfully resolves to an (unsupported) non-PDF >>>>>> resource: not measurable, >>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/4111 So >>>>>> the vast majority (99.95%) of <param> URL usage appears to point to >>>>>> invalid >>>>>> resources - likely mostly Flash. A very small percentage (0.05% of >>>>>> <param>-with-URL usage, 0.00002% of web page loads) are likely to break >>>>>> when we deprecate this functionality. >>>>>> >>>>>> I clicked on the first 20 results from >>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/4010 >>>>>> (careful, 1 is NSFW), and 18 contain busted SWFs. But two of them are >>>>>> embedding youtube videos via <param>: >>>>>> >>>>>> https://jackrussell.forumattivo.com/ has an <object> that has a >>>>>> child param name="movie" value= >>>>>> "https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&"; >>>>>> <https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&;>>. >>>>>> >>>>>> http://sextherapy.ru/ (SFW-ish, at least on the homepage)<param >>>>>> name="src" value="// >>>>>> www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0" /> >>>>>> >>>>>> I had no idea that was possible - can we dig in some more to see how >>>>>> many params have a value with "youtube.com", to see if I got lucky >>>>>> and found the only 2, or if a lot of sites are relying on this behavior? >>>>>> >>>>>> >>>>>> >>>>>> WebView Application Risks >>>>>> >>>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>>> that it has potentially high risk for Android WebView-based applications? >>>>>> >>>>>> >>>>>> Debuggability >>>>>> >>>>>> Deprecation. >>>>>> >>>>>> >>>>>> Is this feature fully tested by web-platform-tests >>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>> ? Yes >>>>>> >>>>>> Flag name >>>>>> >>>>>> Requires code in //chrome? False >>>>>> >>>>>> Tracking bug https://crbug.com/1315717 >>>>>> >>>>>> Estimated milestones >>>>>> >>>>>> No milestones specified >>>>>> >>>>>> >>>>>> Link to entry on the Chrome Platform Status >>>>>> https://chromestatus.com/feature/6283184588193792 >>>>>> >>>>>> This intent message was generated by Chrome Platform Status >>>>>> <https://chromestatus.com/>. >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhXTo%3Dg3scg7KF8g%3Dn5a4rA%3D6UD5cAxTBn9HetnAO%2BJ-A%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhXTo%3Dg3scg7KF8g%3Dn5a4rA%3D6UD5cAxTBn9HetnAO%2BJ-A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> >>>>>> >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDg6ZHCp6Ty%2BOAJab8cC94aXK8k5z6yq7sq2eFvj_8S5xw%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDg6ZHCp6Ty%2BOAJab8cC94aXK8k5z6yq7sq2eFvj_8S5xw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> > To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_-EbcQjj4T%2Beoe_NybqSKHeaLSHc4bNA2bTsB3ZH-gqg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_-EbcQjj4T%2Beoe_NybqSKHeaLSHc4bNA2bTsB3ZH-gqg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDjyucqTxf4xTd5MnEOgt_Cv9d0vXWochAcarGiMC6rT%3DQ%40mail.gmail.com.
