Thank you Yoav for the suggestion. I couldn't find sample URLs from the HTTPArchive data (feature usage <https://chromestatus.com/metrics/feature/timeline/popularity/4470>). I'll add a feature flag to prepare for reverting this change if breakage is problematic.
On Fri, Mar 10, 2023 at 7:06 PM Yoav Weiss <[email protected]> wrote: > One option to tighten the potential for breakage would be to e.g. sample > 10 URLs that are hitting that usecounter (e.g. from the HTTPArchive data), > and test them manually to see how many of them would break once this change > is applied. Based on the number you'd get, we can estimate the magnitude of > breakage we can expect to see in the wild. > Another option would be to roll this out with a base feature flag (that > we'd want anyway) and be ready to revert if breakage is more than we'd like. > > Combining those two options is probably safest. > > On Fri, Mar 10, 2023 at 8:51 AM Kenichi Ishibashi <[email protected]> > wrote: > >> Use counter reports 0.022%. My guess is that most usage happens >> accidentally but we are not sure. >> >> API owners, should we do a reverse OT? >> >> On Fri, Feb 17, 2023 at 9:38 AM Kenichi Ishibashi <[email protected]> >> wrote: >> >>> Quick update, we added a use counter to see how often this could happen. >>> I'll get back once we have data. >>> >>> >>> On Wed, Feb 8, 2023 at 11:51 PM Yoav Weiss <[email protected]> >>> wrote: >>> >>>> Any use counters on how often this happens? >>>> >>>> On Thursday, February 2, 2023 at 8:58:35 AM UTC+1 Kenichi Ishibashi >>>> wrote: >>>> Contact [email protected] >>>> >>>> Specificationhttps://fetch.spec.whatwg.org/#http-redirect-fetch >>>> >>>> Summary >>>> >>>> Remove Authorization header on cross origin redirects to scope a >>>> developer-controlled Authorization header to the origin of the initial >>>> request. >>>> >>>> Blink componentBlink>Loader >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader> >>>> >>>> TAG review >>>> Not applicable, the spec has been already updated. >>>> https://github.com/whatwg/fetch/pull/1544 >>>> >>>> TAG review statusNot applicable >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> Low. All browser vendors agreed with this change. >>>> >>>> *Gecko*: Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1802086 >>>> ) >>>> >>>> Do we know if they ran into any compat issues when shipping this? >>>> >>> None I'm aware of. I checked the bug and related issues in GitHub but I >>> didn't find anything. >>> >>> >>>> >>>> *WebKit*: Shipped/Shipping (https://bugs.webkit.org/show_ >>>> bug.cgi?id=230935) Historically Safari always removed Authorization >>>> headers even for the same origin redirects. Recently the behavior has >>>> changed to preserve them on same origin redirects. >>>> >>>> That's encouraging in terms of lack of potential reliance on these >>>> headers. >>>> >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> N/A >>>> >>>> >>>> >>>> Debuggability >>>> >>>> Web Developers can use DevTools network panel to see the actual request >>>> headers. >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?Yes >>>> https://wpt.fyi/results/xhr/xhr-authorization-redirect. >>>> any.html?label=master&label=experimental >>>> https://wpt.fyi/results/fetch/api/credentials/ >>>> authentication-redirection.any.html?label=experimental >>>> >>>> Flag nameNot applicable >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id= >>>> 1393520 >>>> >>>> Estimated milestones >>>> >>>> M112 >>>> >>>> Anticipated spec changes >>>> >>>> The spec has been already updated. >>>> >>>> https://github.com/whatwg/fetch/issues/944 >>>> >>>> Link to entry on the Chrome Platform Statushttps://chromestatus.com/ >>>> feature/5195900413018112 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPLXX--BS0Xx1aipT2Nt0hGfkDbgL1qFk-mFQ65%3Dfqj38zoEjg%40mail.gmail.com.
