We'll make the update in the enterprise release notes too. Thanks for keeping us in the loop
On Mon, Jan 16, 2023 at 9:46 AM Rick Byers <rby...@chromium.org> wrote: > Thanks so much Eiji! > > On Mon, Jan 16, 2023 at 3:06 AM Eiji Kitamura <agek...@google.com> wrote: > >> I've updated the blog post >> <https://developer.chrome.com/blog/immutable-document-domain/> stating >> Chrome 111 is where we ship the feature, but looks like it's rolling out >> through 111 and 112? >> I'll update the blog post to mention `OriginAgentClusterDefaultEnabled` >> enterprise policy. >> >> >> On Sat, Jan 14, 2023 at 1:37 AM Rick Byers <rby...@chromium.org> wrote: >> >>> Thanks for the update Daniel, good luck! >>> >>> In case others, like me, have missed or forgotten the long history of >>> this difficult deprecation and what it means for web developers, this blog >>> post is a good summary >>> <https://developer.chrome.com/blog/immutable-document-domain/>. One >>> critical thing it doesn't mention, but probably should, is that the >>> OriginAgentClusterDefaultEnabled >>> enterprise policy >>> <https://chromeenterprise.google/policies/#OriginAgentClusterDefaultEnabled> >>> can also be used to revert the default on managed devices (though it looks >>> like the launching milestone needs to be updated there too). >>> >>> Rick >>> >>> On Fri, Jan 13, 2023 at 9:53 AM 'Daniel Vogelheim' via blink-dev < >>> blink-dev@chromium.org> wrote: >>> >>>> Hello all, >>>> >>>> We've now handled the bugs we've discovered, and I would like to make >>>> another attempt at launching. I'll follow the plan that was approved here, >>>> but two milestones later: Launch to 50% beta in M111 (or late M110, if I >>>> can still catch a bit of that release cycle), and then ramp on stable once >>>> M112 is out. >>>> >>>> >>>> On Wed, Dec 14, 2022 at 6:36 PM Daniel Vogelheim <vogelh...@google.com> >>>> wrote: >>>> >>>>> Hello all, >>>>> >>>>> An update: Unfortunately we have discovered a bug with this feature, >>>>> just as I was getting ready to enable it. The bug also affects pages that >>>>> have not even set document.domain. Since I have now missed a substantial >>>>> portion of the 109 beta cycle I'd like to delay the roll out once more, >>>>> and >>>>> shift it by one milestone (or two; depending on when everything is fixed). >>>>> >>>>> On the positive side: Recently the last of the previously identified >>>>> big document.domain users, that together accounted for about 50% of >>>>> remaining usage, has dropped their usage. So current usage is lower than >>>>> previously reported. See the usage dip around late November at >>>>> deprecate.it (1st graph). >>>>> >>>>> On Thu, Nov 10, 2022 at 5:42 PM Mike Taylor <miketa...@chromium.org> >>>>> wrote: >>>>> >>>>>> LGTM3 >>>>>> >>>>>> On 11/10/22 11:18 AM, Chris Harrelson wrote: >>>>>> >>>>>> LGTM2 >>>>>> >>>>>> On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org> >>>>>> wrote: >>>>>> >>>>>>> LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108 or >>>>>>> M109, and carefully roll this out for M110, once it hits stable. >>>>>>> >>>>>>> On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim < >>>>>>> vogelh...@google.com> wrote: >>>>>>> >>>>>>>> On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor <miketa...@chromium.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote: >>>>>>>>> >>>>>>>>> Hello all, >>>>>>>>> >>>>>>>>> The approval for the Intent To Ship for Origin Isolation By >>>>>>>>> Default / Deprecate document.domain >>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>> asks for a separate intent for the actual default change >>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>. >>>>>>>>> This is that separate intent. >>>>>>>>> >>>>>>>>> A summary of what happened so far: >>>>>>>>> >>>>>>>>> - Shipping Origin Isolation by Default (and thereby deprecating >>>>>>>>> document.domain) has security benefits, but compatibility risk. >>>>>>>>> >>>>>>>>> - We added warnings to the developer console and issues panel, >>>>>>>>> published a blog post, and engaged in direct outreach. This has >>>>>>>>> resulted in >>>>>>>>> substantial, measurable reduction of usage. Some sites keep using >>>>>>>>> document.domain, but have mitigated the deprecation with other means. >>>>>>>>> This >>>>>>>>> makes the risk difficult to measure. >>>>>>>>> >>>>>>>>> - Sampling of sites with document.domain usage and manual >>>>>>>>> inspection yields a potential breakage estimate at ~0.015% of page >>>>>>>>> views. >>>>>>>>> >>>>>>>>> What we're asking for here is: >>>>>>>>> >>>>>>>>> - Enable the feature at 50% for beta (+ dev + canary) during M109, >>>>>>>>> as a "last call" for web site authors. >>>>>>>>> >>>>>>>>> This sounds like a good idea. Is there any reason we couldn't go >>>>>>>>> to 50% in M108 as well (or are you trying to avoid breakage over the >>>>>>>>> winter >>>>>>>>> holidays)? >>>>>>>>> >>>>>>>> No reason. I'd be happy to go to beta as soon as I receive the >>>>>>>> lgtms. I had conservatively budgeted that to be 109. :-) >>>>>>>> >>>>>>>> >>>>>>>>> Another question: do we have enterprise policies available for >>>>>>>>> this change? >>>>>>>>> >>>>>>>> >>>>>>>> Yes; the policy is here: OriginAgentClusterDefaultEnabled >>>>>>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml> >>>>>>>> >>>>>>>> >>>>>>>>> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from >>>>>>>>> today) >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------ >>>>>>>>> >>>>>>>>> Contact emails v...@chromium.org, vogelh...@chromium.org >>>>>>>>> Specification Explainer: >>>>>>>>> https://github.com/mikewest/deprecating-document-domain HTML Spec >>>>>>>>> draft: >>>>>>>>> https://github.com/whatwg/html/compare/main...otherdaniel:dd >>>>>>>>> API spec Yes >>>>>>>>> Summary >>>>>>>>> >>>>>>>>> This is a follow-on to the Intent to Ship: Origin Isolation By >>>>>>>>> Default / Deprecate document.domain >>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >>>>>>>>> We'd >>>>>>>>> like to ship this in M110, stable. >>>>>>>>> >>>>>>>>> Summary (of the underlying change) Change the default behavior of >>>>>>>>> the Origin-Agent-Cluster: header / document.domain settability. >>>>>>>>> Presently, pages within Chromium have site-keyed agent clusters by >>>>>>>>> default, unless the Origin-Agent-Cluster: header is explicitly set to >>>>>>>>> true. >>>>>>>>> This accommodates pages or frames which want to access each other's >>>>>>>>> state, >>>>>>>>> despite being on different origins (but within a site). This is fine >>>>>>>>> for >>>>>>>>> any pages that wish to do so, but because a page *might* set >>>>>>>>> document.domain later on, Chromium currently must use site-keyed agent >>>>>>>>> clusters for *all* pages by default even though the overwhelming >>>>>>>>> majority >>>>>>>>> of pages do not ever make use of this (mis-)feature. In turn, this >>>>>>>>> requires >>>>>>>>> Chromium to use sites as the basis for renderer process isolation >>>>>>>>> (via Site >>>>>>>>> Isolation), which exposes origins to same-site but cross-origin >>>>>>>>> attacks >>>>>>>>> involving compromised renderer processes or the "Spectre" family of >>>>>>>>> side-channel attacks. >>>>>>>>> This proposal changes the default behaviour of >>>>>>>>> Origin-Agent-Cluster. From a developer's point of view, the new >>>>>>>>> default >>>>>>>>> matches "Origin-Agent-Cluster: ?1". The initial implementation will >>>>>>>>> use >>>>>>>>> origin-keyed agent clusters for all (non-opted out) origins, without >>>>>>>>> changing how many processes Chromium creates. Over time, we can then >>>>>>>>> adapt >>>>>>>>> Chromium's isolation strategy towards origin-keyed processes without >>>>>>>>> further affecting web-visible behaviour. >>>>>>>>> The developer-visible aspect of this is that for pages with >>>>>>>>> origin-keyed agent clusters, document.domain is no longer settable. >>>>>>>>> Thus, >>>>>>>>> we have marked this intent as a deprecation. >>>>>>>>> Note that this proposal is about the default. Both modes - >>>>>>>>> site-keyed or origin-keyed agent clusters - remain available to any >>>>>>>>> site, >>>>>>>>> but origin-keyed agent clusters change from opt-in to opt-out. The >>>>>>>>> current >>>>>>>>> behaviour remains available by setting "Origin-Agent-Cluster: ?0". >>>>>>>>> Blink component Blink>SecurityFeature >>>>>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/564 >>>>>>>>> Risks: Interoperability and Compatibility >>>>>>>>> >>>>>>>>> There are compatibility risks, which we have reduced with outreach >>>>>>>>> and warnings, and we want to mitigate further by launching at 50% of >>>>>>>>> beta >>>>>>>>> first. An extended discussion of the risk (including attempts at >>>>>>>>> quantitative assessment) can be found in the original intent to >>>>>>>>> ship >>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>> . >>>>>>>>> >>>>>>>>> Gecko: Standards position request >>>>>>>>> <https://github.com/mozilla/standards-positions/issues/601>. >>>>>>>>> ("Worth prototyping") >>>>>>>>> >>>>>>>>> WebKit: >>>>>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html >>>>>>>>> (No signals.) >>>>>>>>> >>>>>>>>> Web developers: No signals. >>>>>>>>> >>>>>>>>> Activation - Deprecation plan >>>>>>>>> M109: Enable "Origin Agent Cluster by Default" for 50% of page >>>>>>>>> loads on beta, dev, and canary. >>>>>>>>> >>>>>>>>> M110: Enable "Origin Agent Cluster by Default" on stable. >>>>>>>>> Security This change should be security-positive, since setting >>>>>>>>> document.domain will not have any impact on the origin of the >>>>>>>>> document any >>>>>>>>> more. >>>>>>>>> Debuggability A deprecation warning has been added to DevTools >>>>>>>>> console and to the issues panel in M98. This warning will file a >>>>>>>>> deprecation report as well using the Reporting API, if so configured. >>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>> Yes >>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>> ? This is covered by Origin-keyed Agent Cluster tests >>>>>>>>> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/> >>>>>>>>> . >>>>>>>>> Tracking bug https://crbug.com/1139851 >>>>>>>>> Launch bug https://crbug.com/1246823 >>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>> https://chromestatus.com/feature/5428079583297536 >>>>>>>>> (document.domain setter deprecation) >>>>>>>>> https://chromestatus.com/features/5683766104162304 (Origin-keyed >>>>>>>>> agent clusters) >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "blink-dev" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>> To view this discussion on the web visit >>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com >>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>> . >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >> >> -- >> Eiji Kitamura / γγΌγ | Developer Advocate | @agektmr >> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFKd2qVm-UBmxGsDZBMSLC%2B6ccUHnE_2--3%2BzumZOXVge4GdAA%40mail.gmail.com.