It's possible that we need to wait for the next HA run to get actual examples. +Rick Viscomi <[email protected]> would know..
On Mon, Mar 13, 2023 at 12:28 AM Kenichi Ishibashi <[email protected]> wrote: > Thank you Yoav for the suggestion. I couldn't find sample URLs from the > HTTPArchive data (feature usage > <https://chromestatus.com/metrics/feature/timeline/popularity/4470>). > I'll add a feature flag to prepare for reverting this change if breakage is > problematic. > > On Fri, Mar 10, 2023 at 7:06 PM Yoav Weiss <[email protected]> wrote: > >> One option to tighten the potential for breakage would be to e.g. sample >> 10 URLs that are hitting that usecounter (e.g. from the HTTPArchive data), >> and test them manually to see how many of them would break once this change >> is applied. Based on the number you'd get, we can estimate the magnitude of >> breakage we can expect to see in the wild. >> Another option would be to roll this out with a base feature flag (that >> we'd want anyway) and be ready to revert if breakage is more than we'd like. >> >> Combining those two options is probably safest. >> >> On Fri, Mar 10, 2023 at 8:51 AM Kenichi Ishibashi <[email protected]> >> wrote: >> >>> Use counter reports 0.022%. My guess is that most usage happens >>> accidentally but we are not sure. >>> >>> API owners, should we do a reverse OT? >>> >>> On Fri, Feb 17, 2023 at 9:38 AM Kenichi Ishibashi <[email protected]> >>> wrote: >>> >>>> Quick update, we added a use counter to see how often this >>>> could happen. I'll get back once we have data. >>>> >>>> >>>> On Wed, Feb 8, 2023 at 11:51 PM Yoav Weiss <[email protected]> >>>> wrote: >>>> >>>>> Any use counters on how often this happens? >>>>> >>>>> On Thursday, February 2, 2023 at 8:58:35 AM UTC+1 Kenichi Ishibashi >>>>> wrote: >>>>> Contact [email protected] >>>>> >>>>> Specificationhttps://fetch.spec.whatwg.org/#http-redirect-fetch >>>>> >>>>> Summary >>>>> >>>>> Remove Authorization header on cross origin redirects to scope a >>>>> developer-controlled Authorization header to the origin of the initial >>>>> request. >>>>> >>>>> Blink componentBlink>Loader >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ELoader> >>>>> >>>>> TAG review >>>>> Not applicable, the spec has been already updated. >>>>> https://github.com/whatwg/fetch/pull/1544 >>>>> >>>>> TAG review statusNot applicable >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> Low. All browser vendors agreed with this change. >>>>> >>>>> *Gecko*: Shipping (https://bugzilla.mozilla.org/ >>>>> show_bug.cgi?id=1802086) >>>>> >>>>> Do we know if they ran into any compat issues when shipping this? >>>>> >>>> None I'm aware of. I checked the bug and related issues in GitHub but I >>>> didn't find anything. >>>> >>>> >>>>> >>>>> *WebKit*: Shipped/Shipping (https://bugs.webkit.org/show_ >>>>> bug.cgi?id=230935) Historically Safari always removed Authorization >>>>> headers even for the same origin redirects. Recently the behavior has >>>>> changed to preserve them on same origin redirects. >>>>> >>>>> That's encouraging in terms of lack of potential reliance on these >>>>> headers. >>>>> >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> WebView application risks >>>>> >>>>> N/A >>>>> >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> Web Developers can use DevTools network panel to see the actual >>>>> request headers. >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ?Yes >>>>> https://wpt.fyi/results/xhr/xhr-authorization-redirect. >>>>> any.html?label=master&label=experimental >>>>> https://wpt.fyi/results/fetch/api/credentials/ >>>>> authentication-redirection.any.html?label=experimental >>>>> >>>>> Flag nameNot applicable >>>>> >>>>> Requires code in //chrome?False >>>>> >>>>> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id= >>>>> 1393520 >>>>> >>>>> Estimated milestones >>>>> >>>>> M112 >>>>> >>>>> Anticipated spec changes >>>>> >>>>> The spec has been already updated. >>>>> >>>>> https://github.com/whatwg/fetch/issues/944 >>>>> >>>>> Link to entry on the Chrome Platform Statushttps://chromestatus.com/ >>>>> feature/5195900413018112 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVEck2vDTaeo%2BG0f0fJNCe2RtrM7WLJzcn9yOjbMWGMgA%40mail.gmail.com.
