LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108 or M109, and carefully roll this out for M110, once it hits stable.
On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim <vogelh...@google.com> wrote: > On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor <miketa...@chromium.org> wrote: > >> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote: >> >> Hello all, >> >> The approval for the Intent To Ship for Origin Isolation By Default / >> Deprecate document.domain >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >> asks for a separate intent for the actual default change >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>. >> This is that separate intent. >> >> A summary of what happened so far: >> >> - Shipping Origin Isolation by Default (and thereby deprecating >> document.domain) has security benefits, but compatibility risk. >> >> - We added warnings to the developer console and issues panel, published >> a blog post, and engaged in direct outreach. This has resulted in >> substantial, measurable reduction of usage. Some sites keep using >> document.domain, but have mitigated the deprecation with other means. This >> makes the risk difficult to measure. >> >> - Sampling of sites with document.domain usage and manual inspection >> yields a potential breakage estimate at ~0.015% of page views. >> >> What we're asking for here is: >> >> - Enable the feature at 50% for beta (+ dev + canary) during M109, as a >> "last call" for web site authors. >> >> This sounds like a good idea. Is there any reason we couldn't go to 50% >> in M108 as well (or are you trying to avoid breakage over the winter >> holidays)? >> > No reason. I'd be happy to go to beta as soon as I receive the lgtms. I > had conservatively budgeted that to be 109. :-) > > >> Another question: do we have enterprise policies available for this >> change? >> > > Yes; the policy is here: OriginAgentClusterDefaultEnabled > <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml> > > >> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from today) >> >> >> ------------------------ >> >> Contact emails v...@chromium.org, vogelh...@chromium.org >> Specification Explainer: >> https://github.com/mikewest/deprecating-document-domain HTML Spec draft: >> https://github.com/whatwg/html/compare/main...otherdaniel:dd >> API spec Yes >> Summary >> >> This is a follow-on to the Intent to Ship: Origin Isolation By Default / >> Deprecate document.domain >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. We'd >> like to ship this in M110, stable. >> >> Summary (of the underlying change) Change the default behavior of the >> Origin-Agent-Cluster: header / document.domain settability. >> Presently, pages within Chromium have site-keyed agent clusters by >> default, unless the Origin-Agent-Cluster: header is explicitly set to true. >> This accommodates pages or frames which want to access each other's state, >> despite being on different origins (but within a site). This is fine for >> any pages that wish to do so, but because a page *might* set >> document.domain later on, Chromium currently must use site-keyed agent >> clusters for *all* pages by default even though the overwhelming majority >> of pages do not ever make use of this (mis-)feature. In turn, this requires >> Chromium to use sites as the basis for renderer process isolation (via Site >> Isolation), which exposes origins to same-site but cross-origin attacks >> involving compromised renderer processes or the "Spectre" family of >> side-channel attacks. >> This proposal changes the default behaviour of Origin-Agent-Cluster. From >> a developer's point of view, the new default matches "Origin-Agent-Cluster: >> ?1". The initial implementation will use origin-keyed agent clusters for >> all (non-opted out) origins, without changing how many processes Chromium >> creates. Over time, we can then adapt Chromium's isolation strategy towards >> origin-keyed processes without further affecting web-visible behaviour. >> The developer-visible aspect of this is that for pages with origin-keyed >> agent clusters, document.domain is no longer settable. Thus, we have marked >> this intent as a deprecation. >> Note that this proposal is about the default. Both modes - site-keyed or >> origin-keyed agent clusters - remain available to any site, but >> origin-keyed agent clusters change from opt-in to opt-out. The current >> behaviour remains available by setting "Origin-Agent-Cluster: ?0". >> Blink component Blink>SecurityFeature >> TAG review https://github.com/w3ctag/design-reviews/issues/564 >> Risks: Interoperability and Compatibility >> >> There are compatibility risks, which we have reduced with outreach and >> warnings, and we want to mitigate further by launching at 50% of beta >> first. An extended discussion of the risk (including attempts at >> quantitative assessment) can be found in the original intent to ship >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >> >> Gecko: Standards position request >> <https://github.com/mozilla/standards-positions/issues/601>. ("Worth >> prototyping") >> >> WebKit: >> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html >> (No signals.) >> >> Web developers: No signals. >> >> Activation - Deprecation plan >> M109: Enable "Origin Agent Cluster by Default" for 50% of page loads on >> beta, dev, and canary. >> >> M110: Enable "Origin Agent Cluster by Default" on stable. >> Security This change should be security-positive, since setting >> document.domain will not have any impact on the origin of the document any >> more. >> Debuggability A deprecation warning has been added to DevTools console >> and to the issues panel in M98. This warning will file a deprecation report >> as well using the Reporting API, if so configured. >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)? Yes >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >> ? This is covered by Origin-keyed Agent Cluster tests >> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/>. >> Tracking bug https://crbug.com/1139851 >> Launch bug https://crbug.com/1246823 >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5428079583297536 (document.domain >> setter deprecation) https://chromestatus.com/features/5683766104162304 >> (Origin-keyed agent clusters) >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com.