Hello all, I'm afraid I have to delay this a bit more. :(
We have a bug report (tracked in crbug.com/1429587
<https://crbug.com/1429587>) that breaks existing apps. The important
thing here is that it does not break document.domain setting and
subsequent cross-origin access, but that instead -- if the
conditions are just right; or arguably just wrong -- the app can get
into a state where same-origin accesses are mistakenly blocked.
Apparently an app can get into a state where frames within the same
page are inconsistently assigned to agent clusters (i.e., frames in
the same origin end up in different processes), and thus subsequent
accesses within that origin may fail.
My plan right now is to leave this on at 50% beta, but to not proceed
to any stable releases at any percentage. I'll update this thread when
I have a better handle on the bug and can suggest a good way to proceed.
On Fri, Jan 20, 2023 at 5:12 PM Eiji Kitamura <agek...@google.com> wrote:
FYI, the enterprise bit has been added to the article.
https://developer.chrome.com/blog/immutable-document-domain/
On Tue, Jan 17, 2023 at 1:21 AM Brandon Heenan
<bhee...@google.com> wrote:
We'll make the update in the enterprise release notes too.
Thanks for keeping us in the loop
On Mon, Jan 16, 2023 at 9:46 AM Rick Byers
<rby...@chromium.org> wrote:
Thanks so much Eiji!
On Mon, Jan 16, 2023 at 3:06 AM Eiji Kitamura
<agek...@google.com> wrote:
I've updated the blog post
<https://developer.chrome.com/blog/immutable-document-domain/>
stating
Chrome 111 is where we ship the feature, but looks
like it's rolling out through 111 and 112?
I'll update the blog post to mention
`OriginAgentClusterDefaultEnabled` enterprise policy.
On Sat, Jan 14, 2023 at 1:37 AM Rick Byers
<rby...@chromium.org> wrote:
Thanks for the update Daniel, good luck!
In case others, like me, have missed or forgotten
the long history of this difficult deprecation and
what it means for web developers, this blog post
is a good summary
<https://developer.chrome.com/blog/immutable-document-domain/>.
One critical thing it doesn't mention, but
probably should, is that the
OriginAgentClusterDefaultEnabled enterprise policy
<https://chromeenterprise.google/policies/#OriginAgentClusterDefaultEnabled>
can also be used to revert the default on managed
devices (though it looks like the launching
milestone needs to be updated there too).
Rick
On Fri, Jan 13, 2023 at 9:53 AM 'Daniel Vogelheim'
via blink-dev <blink-dev@chromium.org> wrote:
Hello all,
We've now handled the bugs we've discovered,
and I would like to make another attempt at
launching. I'll follow the plan that was
approved here, but two milestones later:
Launch to 50% beta in M111 (or late M110, if I
can still catch a bit of that release cycle),
and then ramp on stable once M112 is out.
On Wed, Dec 14, 2022 at 6:36 PM Daniel
Vogelheim <vogelh...@google.com> wrote:
Hello all,
An update: Unfortunately we have
discovered a bug with this feature, just
as I was getting ready to enable it. The
bug also affects pages that have not even
set document.domain. Since I have now
missed a substantial portion of the 109
beta cycle I'd like to delay the roll out
once more, and shift it by one milestone
(or two; depending on when everything is
fixed).
On the positive side: Recently the last of
the previously identified
big document.domain users, that together
accounted for about 50% of remaining
usage, has dropped their usage. So current
usage is lower than previously reported.
See the usage dip around late November at
deprecate.it <https://deprecate.it/> (1st
graph).
On Thu, Nov 10, 2022 at 5:42 PM Mike
Taylor <miketa...@chromium.org> wrote:
LGTM3
On 11/10/22 11:18 AM, Chris Harrelson
wrote:
LGTM2
On Thu, Nov 10, 2022, 4:19 AM Yoav
Weiss <yoavwe...@chromium.org> wrote:
LGTM1 to roll this out to 50% of
Beta/Dev/Canary for either M108
or M109, and carefully roll this
out for M110, once it hits stable.
On Wed, Nov 9, 2022 at 7:05 PM
Daniel Vogelheim
<vogelh...@google.com> wrote:
On Wed, Nov 9, 2022 at 6:10
PM Mike Taylor
<miketa...@chromium.org> wrote:
On 10/27/22 11:49 PM,
'Daniel Vogelheim' via
blink-dev wrote:
Hello all,
The approval for the
Intent To Ship for
Origin Isolation By
Default / Deprecate
document.domain
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>asks
for a separate intent
for the actual default
change
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>.
This is that separate
intent.
A summary of what
happened so far:
- Shipping Origin
Isolation by Default
(and thereby deprecating
document.domain) has
security benefits, but
compatibility risk.
- We added warnings to
the developer console
and issues panel,
published a blog post,
and engaged in direct
outreach. This has
resulted in substantial,
measurable reduction of
usage. Some sites keep
using document.domain,
but have mitigated the
deprecation with other
means. This makes the
risk difficult to measure.
- Sampling of sites with
document.domain usage
and manual inspection
yields a potential
breakage estimate at
~0.015% of page views.
What we're asking for
here is:
- Enable the feature at
50% for beta (+ dev +
canary) during M109, as
a "last call" for web
site authors.
This sounds like a good
idea. Is there any reason
we couldn't go to 50% in
M108 as well (or are you
trying to avoid breakage
over the winter holidays)?
No reason. I'd be happy to go
to beta as soon as I receive
the lgtms. I had
conservatively budgeted that
to be 109. :-)
Another question: do we
have enterprise policies
available for this change?
Yes; the policy is here:
OriginAgentClusterDefaultEnabled
<https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml>
- Launch on stable on
M110. (~ Feb '23, so >12
weeks out from today)
------------------------
Contact emails
v...@chromium.org,
vogelh...@chromium.org
Specification
Explainer:https://github.com/mikewest/deprecating-document-domain
<https://github.com/mikewest/deprecating-document-domain>
HTML Spec
draft:https://github.com/whatwg/html/compare/main...otherdaniel:dd
<https://github.com/whatwg/html/compare/main...otherdaniel:dd>
API spec
Yes
Summary
This is a follow-on to
the Intent to Ship:
Origin Isolation By
Default / Deprecate
document.domain
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. We'd
like to ship this in
M110, stable.
Summary (of the
underlying change)
Change the
default behavior
of the
Origin-Agent-Cluster:
header /
document.domain
settability.
Presently, pages
within Chromium
have site-keyed
agent clusters
by default,
unless the
Origin-Agent-Cluster:
header is
explicitly set
to true. This
accommodates
pages or frames
which want to
access each
other's state,
despite being on
different
origins (but
within a site).
This is fine for
any pages that
wish to do so,
but because a
page *might* set
document.domain
later on,
Chromium
currently must
use site-keyed
agent clusters
for *all* pages
by default even
though the
overwhelming
majority of
pages do not
ever make use of
this
(mis-)feature.
In turn, this
requires
Chromium to use
sites as the
basis for
renderer process
isolation (via
Site Isolation),
which exposes
origins to
same-site but
cross-origin
attacks
involving
compromised
renderer
processes or the
"Spectre" family
of side-channel
attacks.
This proposal
changes the
default
behaviour of
Origin-Agent-Cluster.
From a
developer's
point of view,
the new default
matches
"Origin-Agent-Cluster:
?1". The initial
implementation
will use
origin-keyed
agent clusters
for all
(non-opted out)
origins, without
changing how
many processes
Chromium
creates. Over
time, we can
then adapt
Chromium's
isolation
strategy towards
origin-keyed
processes
without further
affecting
web-visible
behaviour.
The
developer-visible
aspect of this
is that for
pages with
origin-keyed
agent clusters,
document.domain
is no longer
settable. Thus,
we have marked
this intent as a
deprecation.
Note that this
proposal is
about the
default. Both
modes -
site-keyed or
origin-keyed
agent clusters -
remain available
to any site, but
origin-keyed
agent clusters
change from
opt-in to
opt-out. The
current
behaviour
remains
available by
setting
"Origin-Agent-Cluster:
?0".
Blink component
Blink>SecurityFeature
TAG review
https://github.com/w3ctag/design-reviews/issues/564
<https://github.com/w3ctag/design-reviews/issues/564>
Risks:
Interoperability
and Compatibility
There are compatibility
risks, which we have
reduced with outreach
and warnings, and we
want to mitigate further
by launching at 50% of
beta first. An extended
discussion of the risk
(including attempts at
quantitative assessment)
can be found in the
original intent to ship
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>.
Gecko:Standards position
request
<https://github.com/mozilla/standards-positions/issues/601>.
("Worth prototyping")
WebKit:https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html
<https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html>(No
signals.)
Web developers: No signals.
Activation - Deprecation
plan
M109: Enable
"Origin Agent
Cluster by
Default" for 50%
of page loads on
beta, dev, and
canary.
M110: Enable "Origin
Agent Cluster by
Default" on stable.
Security
This change
should be
security-positive,
since setting
document.domain
will not have
any impact on
the origin of
the document any
more.
Debuggability
A deprecation
warning has been
added to
DevTools console
and to the
issues panel in
M98. This
warning will
file a
deprecation
report as well
using the
Reporting API,
if so configured.
Will this
feature be
supported on all
six Blink
platforms
(Windows, Mac,
Linux, Chrome
OS, Android, and
Android WebView)?
Yes
Is this feature
fully tested
byweb-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
This is covered
by Origin-keyed
Agent Cluster
tests
<https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/>.
Tracking bug
https://crbug.com/1139851
<https://crbug.com/1139851>
Launch bug
https://crbug.com/1246823
<https://crbug.com/1246823>
Link to entry on
the Chrome
Platform Status
https://chromestatus.com/feature/5428079583297536
<https://chromestatus.com/feature/5428079583297536>(document.domain
setter deprecation)
https://chromestatus.com/features/5683766104162304
<https://chromestatus.com/features/5683766104162304>(Origin-keyed
agent clusters)
--
You received this
message because you are
subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this
group and stop receiving
emails from it, send an
email to
blink-dev+unsubscr...@chromium.org.
To view this discussion
on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because
you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group
and stop receiving emails from
it, send an email to
blink-dev+unsubscr...@chromium.org.
To view this discussion on the
web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are
subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop
receiving emails from it, send an email to
blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
Eiji Kitamura / えーじ | Developer Advocate |@agektmr
<https://twitter.com/agektmr> | Office Location: Tokyo
Shibuya
--
Eiji Kitamura / えーじ | Developer Advocate |@agektmr
<https://twitter.com/agektmr> | Office Location: Tokyo Shibuya