FYI, the enterprise bit has been added to the article. https://developer.chrome.com/blog/immutable-document-domain/
On Tue, Jan 17, 2023 at 1:21 AM Brandon Heenan <bhee...@google.com> wrote: > We'll make the update in the enterprise release notes too. Thanks for > keeping us in the loop > > On Mon, Jan 16, 2023 at 9:46 AM Rick Byers <rby...@chromium.org> wrote: > >> Thanks so much Eiji! >> >> On Mon, Jan 16, 2023 at 3:06 AM Eiji Kitamura <agek...@google.com> wrote: >> >>> I've updated the blog post >>> <https://developer.chrome.com/blog/immutable-document-domain/> stating >>> Chrome 111 is where we ship the feature, but looks like it's rolling out >>> through 111 and 112? >>> I'll update the blog post to mention `OriginAgentClusterDefaultEnabled` >>> enterprise policy. >>> >>> >>> On Sat, Jan 14, 2023 at 1:37 AM Rick Byers <rby...@chromium.org> wrote: >>> >>>> Thanks for the update Daniel, good luck! >>>> >>>> In case others, like me, have missed or forgotten the long history of >>>> this difficult deprecation and what it means for web developers, this blog >>>> post is a good summary >>>> <https://developer.chrome.com/blog/immutable-document-domain/>. One >>>> critical thing it doesn't mention, but probably should, is that the >>>> OriginAgentClusterDefaultEnabled >>>> enterprise policy >>>> <https://chromeenterprise.google/policies/#OriginAgentClusterDefaultEnabled> >>>> can also be used to revert the default on managed devices (though it looks >>>> like the launching milestone needs to be updated there too). >>>> >>>> Rick >>>> >>>> On Fri, Jan 13, 2023 at 9:53 AM 'Daniel Vogelheim' via blink-dev < >>>> blink-dev@chromium.org> wrote: >>>> >>>>> Hello all, >>>>> >>>>> We've now handled the bugs we've discovered, and I would like to make >>>>> another attempt at launching. I'll follow the plan that was approved here, >>>>> but two milestones later: Launch to 50% beta in M111 (or late M110, if I >>>>> can still catch a bit of that release cycle), and then ramp on stable once >>>>> M112 is out. >>>>> >>>>> >>>>> On Wed, Dec 14, 2022 at 6:36 PM Daniel Vogelheim <vogelh...@google.com> >>>>> wrote: >>>>> >>>>>> Hello all, >>>>>> >>>>>> An update: Unfortunately we have discovered a bug with this feature, >>>>>> just as I was getting ready to enable it. The bug also affects pages that >>>>>> have not even set document.domain. Since I have now missed a substantial >>>>>> portion of the 109 beta cycle I'd like to delay the roll out once more, >>>>>> and >>>>>> shift it by one milestone (or two; depending on when everything is >>>>>> fixed). >>>>>> >>>>>> On the positive side: Recently the last of the previously identified >>>>>> big document.domain users, that together accounted for about 50% of >>>>>> remaining usage, has dropped their usage. So current usage is lower than >>>>>> previously reported. See the usage dip around late November at >>>>>> deprecate.it (1st graph). >>>>>> >>>>>> On Thu, Nov 10, 2022 at 5:42 PM Mike Taylor <miketa...@chromium.org> >>>>>> wrote: >>>>>> >>>>>>> LGTM3 >>>>>>> >>>>>>> On 11/10/22 11:18 AM, Chris Harrelson wrote: >>>>>>> >>>>>>> LGTM2 >>>>>>> >>>>>>> On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org> >>>>>>> wrote: >>>>>>> >>>>>>>> LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108 or >>>>>>>> M109, and carefully roll this out for M110, once it hits stable. >>>>>>>> >>>>>>>> On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim < >>>>>>>> vogelh...@google.com> wrote: >>>>>>>> >>>>>>>>> On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor <miketa...@chromium.org> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote: >>>>>>>>>> >>>>>>>>>> Hello all, >>>>>>>>>> >>>>>>>>>> The approval for the Intent To Ship for Origin Isolation By >>>>>>>>>> Default / Deprecate document.domain >>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>>> asks for a separate intent for the actual default change >>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>. >>>>>>>>>> This is that separate intent. >>>>>>>>>> >>>>>>>>>> A summary of what happened so far: >>>>>>>>>> >>>>>>>>>> - Shipping Origin Isolation by Default (and thereby deprecating >>>>>>>>>> document.domain) has security benefits, but compatibility risk. >>>>>>>>>> >>>>>>>>>> - We added warnings to the developer console and issues panel, >>>>>>>>>> published a blog post, and engaged in direct outreach. This has >>>>>>>>>> resulted in >>>>>>>>>> substantial, measurable reduction of usage. Some sites keep using >>>>>>>>>> document.domain, but have mitigated the deprecation with other >>>>>>>>>> means. This >>>>>>>>>> makes the risk difficult to measure. >>>>>>>>>> >>>>>>>>>> - Sampling of sites with document.domain usage and manual >>>>>>>>>> inspection yields a potential breakage estimate at ~0.015% of page >>>>>>>>>> views. >>>>>>>>>> >>>>>>>>>> What we're asking for here is: >>>>>>>>>> >>>>>>>>>> - Enable the feature at 50% for beta (+ dev + canary) during >>>>>>>>>> M109, as a "last call" for web site authors. >>>>>>>>>> >>>>>>>>>> This sounds like a good idea. Is there any reason we couldn't go >>>>>>>>>> to 50% in M108 as well (or are you trying to avoid breakage over the >>>>>>>>>> winter >>>>>>>>>> holidays)? >>>>>>>>>> >>>>>>>>> No reason. I'd be happy to go to beta as soon as I receive the >>>>>>>>> lgtms. I had conservatively budgeted that to be 109. :-) >>>>>>>>> >>>>>>>>> >>>>>>>>>> Another question: do we have enterprise policies available for >>>>>>>>>> this change? >>>>>>>>>> >>>>>>>>> >>>>>>>>> Yes; the policy is here: OriginAgentClusterDefaultEnabled >>>>>>>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml> >>>>>>>>> >>>>>>>>> >>>>>>>>>> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from >>>>>>>>>> today) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------ >>>>>>>>>> >>>>>>>>>> Contact emails v...@chromium.org, vogelh...@chromium.org >>>>>>>>>> Specification Explainer: >>>>>>>>>> https://github.com/mikewest/deprecating-document-domain HTML >>>>>>>>>> Spec draft: >>>>>>>>>> https://github.com/whatwg/html/compare/main...otherdaniel:dd >>>>>>>>>> API spec Yes >>>>>>>>>> Summary >>>>>>>>>> >>>>>>>>>> This is a follow-on to the Intent to Ship: Origin Isolation By >>>>>>>>>> Default / Deprecate document.domain >>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >>>>>>>>>> We'd >>>>>>>>>> like to ship this in M110, stable. >>>>>>>>>> >>>>>>>>>> Summary (of the underlying change) Change the default behavior >>>>>>>>>> of the Origin-Agent-Cluster: header / document.domain settability. >>>>>>>>>> Presently, pages within Chromium have site-keyed agent clusters >>>>>>>>>> by default, unless the Origin-Agent-Cluster: header is explicitly >>>>>>>>>> set to >>>>>>>>>> true. This accommodates pages or frames which want to access each >>>>>>>>>> other's >>>>>>>>>> state, despite being on different origins (but within a site). This >>>>>>>>>> is fine >>>>>>>>>> for any pages that wish to do so, but because a page *might* set >>>>>>>>>> document.domain later on, Chromium currently must use site-keyed >>>>>>>>>> agent >>>>>>>>>> clusters for *all* pages by default even though the overwhelming >>>>>>>>>> majority >>>>>>>>>> of pages do not ever make use of this (mis-)feature. In turn, this >>>>>>>>>> requires >>>>>>>>>> Chromium to use sites as the basis for renderer process isolation >>>>>>>>>> (via Site >>>>>>>>>> Isolation), which exposes origins to same-site but cross-origin >>>>>>>>>> attacks >>>>>>>>>> involving compromised renderer processes or the "Spectre" family of >>>>>>>>>> side-channel attacks. >>>>>>>>>> This proposal changes the default behaviour of >>>>>>>>>> Origin-Agent-Cluster. From a developer's point of view, the new >>>>>>>>>> default >>>>>>>>>> matches "Origin-Agent-Cluster: ?1". The initial implementation will >>>>>>>>>> use >>>>>>>>>> origin-keyed agent clusters for all (non-opted out) origins, without >>>>>>>>>> changing how many processes Chromium creates. Over time, we can then >>>>>>>>>> adapt >>>>>>>>>> Chromium's isolation strategy towards origin-keyed processes without >>>>>>>>>> further affecting web-visible behaviour. >>>>>>>>>> The developer-visible aspect of this is that for pages with >>>>>>>>>> origin-keyed agent clusters, document.domain is no longer settable. >>>>>>>>>> Thus, >>>>>>>>>> we have marked this intent as a deprecation. >>>>>>>>>> Note that this proposal is about the default. Both modes - >>>>>>>>>> site-keyed or origin-keyed agent clusters - remain available to any >>>>>>>>>> site, >>>>>>>>>> but origin-keyed agent clusters change from opt-in to opt-out. The >>>>>>>>>> current >>>>>>>>>> behaviour remains available by setting "Origin-Agent-Cluster: ?0". >>>>>>>>>> Blink component Blink>SecurityFeature >>>>>>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/564 >>>>>>>>>> Risks: Interoperability and Compatibility >>>>>>>>>> >>>>>>>>>> There are compatibility risks, which we have reduced with >>>>>>>>>> outreach and warnings, and we want to mitigate further by launching >>>>>>>>>> at 50% >>>>>>>>>> of beta first. An extended discussion of the risk (including >>>>>>>>>> attempts at >>>>>>>>>> quantitative assessment) can be found in the original intent to >>>>>>>>>> ship >>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> Gecko: Standards position request >>>>>>>>>> <https://github.com/mozilla/standards-positions/issues/601>. >>>>>>>>>> ("Worth prototyping") >>>>>>>>>> >>>>>>>>>> WebKit: >>>>>>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html >>>>>>>>>> (No signals.) >>>>>>>>>> >>>>>>>>>> Web developers: No signals. >>>>>>>>>> >>>>>>>>>> Activation - Deprecation plan >>>>>>>>>> M109: Enable "Origin Agent Cluster by Default" for 50% of page >>>>>>>>>> loads on beta, dev, and canary. >>>>>>>>>> >>>>>>>>>> M110: Enable "Origin Agent Cluster by Default" on stable. >>>>>>>>>> Security This change should be security-positive, since >>>>>>>>>> setting document.domain will not have any impact on the origin of the >>>>>>>>>> document any more. >>>>>>>>>> Debuggability A deprecation warning has been added to DevTools >>>>>>>>>> console and to the issues panel in M98. This warning will file a >>>>>>>>>> deprecation report as well using the Reporting API, if so configured. >>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>> Yes >>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>> ? This is covered by Origin-keyed Agent Cluster tests >>>>>>>>>> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/> >>>>>>>>>> . >>>>>>>>>> Tracking bug https://crbug.com/1139851 >>>>>>>>>> Launch bug https://crbug.com/1246823 >>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>> https://chromestatus.com/feature/5428079583297536 >>>>>>>>>> (document.domain setter deprecation) >>>>>>>>>> https://chromestatus.com/features/5683766104162304 (Origin-keyed >>>>>>>>>> agent clusters) >>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>>> To view this discussion on the web visit >>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com >>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> >>>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>> >>> -- >>> Eiji Kitamura / えーじ | Developer Advocate | @agektmr >>> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya >>> >> -- Eiji Kitamura / えーじ | Developer Advocate | @agektmr <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOW%3Dx-Dv83WifyXGcGALrMu7XXjrxWmA_Ui4CqhnQpCmmvWgAQ%40mail.gmail.com.
