Hello all, We've now handled the bugs we've discovered, and I would like to make another attempt at launching. I'll follow the plan that was approved here, but two milestones later: Launch to 50% beta in M111 (or late M110, if I can still catch a bit of that release cycle), and then ramp on stable once M112 is out.
On Wed, Dec 14, 2022 at 6:36 PM Daniel Vogelheim <vogelh...@google.com> wrote: > Hello all, > > An update: Unfortunately we have discovered a bug with this feature, just > as I was getting ready to enable it. The bug also affects pages that > have not even set document.domain. Since I have now missed a substantial > portion of the 109 beta cycle I'd like to delay the roll out once more, and > shift it by one milestone (or two; depending on when everything is fixed). > > On the positive side: Recently the last of the previously identified > big document.domain users, that together accounted for about 50% of > remaining usage, has dropped their usage. So current usage is lower than > previously reported. See the usage dip around late November at > deprecate.it (1st graph). > > On Thu, Nov 10, 2022 at 5:42 PM Mike Taylor <miketa...@chromium.org> > wrote: > >> LGTM3 >> >> On 11/10/22 11:18 AM, Chris Harrelson wrote: >> >> LGTM2 >> >> On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org> wrote: >> >>> LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108 or >>> M109, and carefully roll this out for M110, once it hits stable. >>> >>> On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim <vogelh...@google.com> >>> wrote: >>> >>>> On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor <miketa...@chromium.org> >>>> wrote: >>>> >>>>> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote: >>>>> >>>>> Hello all, >>>>> >>>>> The approval for the Intent To Ship for Origin Isolation By Default / >>>>> Deprecate document.domain >>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>> asks for a separate intent for the actual default change >>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>. >>>>> This is that separate intent. >>>>> >>>>> A summary of what happened so far: >>>>> >>>>> - Shipping Origin Isolation by Default (and thereby deprecating >>>>> document.domain) has security benefits, but compatibility risk. >>>>> >>>>> - We added warnings to the developer console and issues panel, >>>>> published a blog post, and engaged in direct outreach. This has resulted >>>>> in >>>>> substantial, measurable reduction of usage. Some sites keep using >>>>> document.domain, but have mitigated the deprecation with other means. This >>>>> makes the risk difficult to measure. >>>>> >>>>> - Sampling of sites with document.domain usage and manual inspection >>>>> yields a potential breakage estimate at ~0.015% of page views. >>>>> >>>>> What we're asking for here is: >>>>> >>>>> - Enable the feature at 50% for beta (+ dev + canary) during M109, as >>>>> a "last call" for web site authors. >>>>> >>>>> This sounds like a good idea. Is there any reason we couldn't go to >>>>> 50% in M108 as well (or are you trying to avoid breakage over the winter >>>>> holidays)? >>>>> >>>> No reason. I'd be happy to go to beta as soon as I receive the lgtms. I >>>> had conservatively budgeted that to be 109. :-) >>>> >>>> >>>>> Another question: do we have enterprise policies available for this >>>>> change? >>>>> >>>> >>>> Yes; the policy is here: OriginAgentClusterDefaultEnabled >>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml> >>>> >>>> >>>>> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from today) >>>>> >>>>> >>>>> ------------------------ >>>>> >>>>> Contact emails v...@chromium.org, vogelh...@chromium.org >>>>> Specification Explainer: >>>>> https://github.com/mikewest/deprecating-document-domain HTML Spec >>>>> draft: https://github.com/whatwg/html/compare/main...otherdaniel:dd >>>>> API spec Yes >>>>> Summary >>>>> >>>>> This is a follow-on to the Intent to Ship: Origin Isolation By >>>>> Default / Deprecate document.domain >>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >>>>> We'd >>>>> like to ship this in M110, stable. >>>>> >>>>> Summary (of the underlying change) Change the default behavior of the >>>>> Origin-Agent-Cluster: header / document.domain settability. >>>>> Presently, pages within Chromium have site-keyed agent clusters by >>>>> default, unless the Origin-Agent-Cluster: header is explicitly set to >>>>> true. >>>>> This accommodates pages or frames which want to access each other's state, >>>>> despite being on different origins (but within a site). This is fine for >>>>> any pages that wish to do so, but because a page *might* set >>>>> document.domain later on, Chromium currently must use site-keyed agent >>>>> clusters for *all* pages by default even though the overwhelming majority >>>>> of pages do not ever make use of this (mis-)feature. In turn, this >>>>> requires >>>>> Chromium to use sites as the basis for renderer process isolation (via >>>>> Site >>>>> Isolation), which exposes origins to same-site but cross-origin attacks >>>>> involving compromised renderer processes or the "Spectre" family of >>>>> side-channel attacks. >>>>> This proposal changes the default behaviour of Origin-Agent-Cluster. >>>>> From a developer's point of view, the new default matches >>>>> "Origin-Agent-Cluster: ?1". The initial implementation will use >>>>> origin-keyed agent clusters for all (non-opted out) origins, without >>>>> changing how many processes Chromium creates. Over time, we can then adapt >>>>> Chromium's isolation strategy towards origin-keyed processes without >>>>> further affecting web-visible behaviour. >>>>> The developer-visible aspect of this is that for pages with >>>>> origin-keyed agent clusters, document.domain is no longer settable. Thus, >>>>> we have marked this intent as a deprecation. >>>>> Note that this proposal is about the default. Both modes - site-keyed >>>>> or origin-keyed agent clusters - remain available to any site, but >>>>> origin-keyed agent clusters change from opt-in to opt-out. The current >>>>> behaviour remains available by setting "Origin-Agent-Cluster: ?0". >>>>> Blink component Blink>SecurityFeature >>>>> TAG review https://github.com/w3ctag/design-reviews/issues/564 >>>>> Risks: Interoperability and Compatibility >>>>> >>>>> There are compatibility risks, which we have reduced with outreach and >>>>> warnings, and we want to mitigate further by launching at 50% of beta >>>>> first. An extended discussion of the risk (including attempts at >>>>> quantitative assessment) can be found in the original intent to ship >>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >>>>> >>>>> Gecko: Standards position request >>>>> <https://github.com/mozilla/standards-positions/issues/601>. ("Worth >>>>> prototyping") >>>>> >>>>> WebKit: >>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html >>>>> (No signals.) >>>>> >>>>> Web developers: No signals. >>>>> >>>>> Activation - Deprecation plan >>>>> M109: Enable "Origin Agent Cluster by Default" for 50% of page loads >>>>> on beta, dev, and canary. >>>>> >>>>> M110: Enable "Origin Agent Cluster by Default" on stable. >>>>> Security This change should be security-positive, since setting >>>>> document.domain will not have any impact on the origin of the document any >>>>> more. >>>>> Debuggability A deprecation warning has been added to DevTools >>>>> console and to the issues panel in M98. This warning will file a >>>>> deprecation report as well using the Reporting API, if so configured. >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? Yes >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>> ? This is covered by Origin-keyed Agent Cluster tests >>>>> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/>. >>>>> Tracking bug https://crbug.com/1139851 >>>>> Launch bug https://crbug.com/1246823 >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5428079583297536 (document.domain >>>>> setter deprecation) https://chromestatus.com/features/5683766104162304 >>>>> (Origin-keyed agent clusters) >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> >>>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com.