On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote:
Hello all,
The approval for the Intent To Ship for Origin Isolation By Default /
Deprecate document.domain
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>asks
for a separate intent for the actual default change
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>.
This is that separate intent.
A summary of what happened so far:
- Shipping Origin Isolation by Default (and thereby deprecating
document.domain) has security benefits, but compatibility risk.
- We added warnings to the developer console and issues panel,
published a blog post, and engaged in direct outreach. This has
resulted in substantial, measurable reduction of usage. Some sites
keep using document.domain, but have mitigated the deprecation with
other means. This makes the risk difficult to measure.
- Sampling of sites with document.domain usage and manual inspection
yields a potential breakage estimate at ~0.015% of page views.
What we're asking for here is:
- Enable the feature at 50% for beta (+ dev + canary) during M109, as
a "last call" for web site authors.
This sounds like a good idea. Is there any reason we couldn't go to 50%
in M108 as well (or are you trying to avoid breakage over the winter
holidays)?
Another question: do we have enterprise policies available for this change?
- Launch on stable on M110. (~ Feb '23, so >12 weeks out from today)
------------------------
Contact emails
v...@chromium.org, vogelh...@chromium.org
Specification
Explainer:https://github.com/mikewest/deprecating-document-domain
<https://github.com/mikewest/deprecating-document-domain>
HTML Spec
draft:https://github.com/whatwg/html/compare/main...otherdaniel:dd
<https://github.com/whatwg/html/compare/main...otherdaniel:dd>
API spec
Yes
Summary
This is a follow-on to the Intent to Ship: Origin Isolation By Default
/ Deprecate document.domain
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. We'd
like to ship this in M110, stable.
Summary (of the underlying change)
Change the default behavior of the Origin-Agent-Cluster:
header / document.domain settability.
Presently, pages within Chromium have site-keyed agent
clusters by default, unless the Origin-Agent-Cluster: header
is explicitly set to true. This accommodates pages or frames
which want to access each other's state, despite being on
different origins (but within a site). This is fine for any
pages that wish to do so, but because a page *might* set
document.domain later on, Chromium currently must use
site-keyed agent clusters for *all* pages by default even
though the overwhelming majority of pages do not ever make use
of this (mis-)feature. In turn, this requires Chromium to use
sites as the basis for renderer process isolation (via Site
Isolation), which exposes origins to same-site but
cross-origin attacks involving compromised renderer processes
or the "Spectre" family of side-channel attacks.
This proposal changes the default behaviour of
Origin-Agent-Cluster. From a developer's point of view, the
new default matches "Origin-Agent-Cluster: ?1". The initial
implementation will use origin-keyed agent clusters for all
(non-opted out) origins, without changing how many processes
Chromium creates. Over time, we can then adapt Chromium's
isolation strategy towards origin-keyed processes without
further affecting web-visible behaviour.
The developer-visible aspect of this is that for pages with
origin-keyed agent clusters, document.domain is no longer
settable. Thus, we have marked this intent as a deprecation.
Note that this proposal is about the default. Both modes -
site-keyed or origin-keyed agent clusters - remain available
to any site, but origin-keyed agent clusters change from
opt-in to opt-out. The current behaviour remains available by
setting "Origin-Agent-Cluster: ?0".
Blink component
Blink>SecurityFeature
TAG review
https://github.com/w3ctag/design-reviews/issues/564
<https://github.com/w3ctag/design-reviews/issues/564>
Risks: Interoperability and Compatibility
There are compatibility risks, which we have reduced with outreach and
warnings, and we want to mitigate further by launching at 50% of beta
first. An extended discussion of the risk (including attempts at
quantitative assessment) can be found in the original intent to ship
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>.
Gecko:Standards position request
<https://github.com/mozilla/standards-positions/issues/601>. ("Worth
prototyping")
WebKit:https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html
<https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html>(No
signals.)
Web developers: No signals.
Activation - Deprecation plan
M109: Enable "Origin Agent Cluster by Default" for 50% of page
loads on beta, dev, and canary.
M110: Enable "Origin Agent Cluster by Default" on stable.
Security
This change should be security-positive, since setting
document.domain will not have any impact on the origin of the
document any more.
Debuggability
A deprecation warning has been added to DevTools console and
to the issues panel in M98. This warning will file a
deprecation report as well using the Reporting API, if so
configured.
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
Is this feature fully tested byweb-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
This is covered by Origin-keyed Agent Cluster tests
<https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/>.
Tracking bug
https://crbug.com/1139851 <https://crbug.com/1139851>
Launch bug
https://crbug.com/1246823 <https://crbug.com/1246823>
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5428079583297536
<https://chromestatus.com/feature/5428079583297536>(document.domain
setter deprecation)
https://chromestatus.com/features/5683766104162304
<https://chromestatus.com/features/5683766104162304>(Origin-keyed
agent clusters)
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/abf2cd16-45a7-f7c1-0ddf-b7dad2b0b5d0%40chromium.org.
