Thanks for the update Daniel. Still LGTM. Good luck! On Fri, May 26, 2023 at 10:25 AM Daniel Vogelheim <vogelh...@google.com> wrote:
> Hello all, it's been a while... The bug reports should now be resolved, > and we'd like to have another go at this in the M115 milestone. That is: > Remain at 50% on beta; starting with 115 ramp up on stable to 1% / 10% / > 50% / 100%, every 14d. Let's hope it sticks this time. > > Daniel > > On Fri, Mar 31, 2023 at 3:54 PM Daniel Vogelheim <vogelh...@google.com> > wrote: > >> Hello all, I'm afraid I have to delay this a bit more. :( >> >> We have a bug report (tracked in crbug.com/1429587) that breaks existing >> apps. The important thing here is that it does not break document.domain >> setting and subsequent cross-origin access, but that instead -- if the >> conditions are just right; or arguably just wrong -- the app can get into a >> state where same-origin accesses are mistakenly blocked. Apparently an app >> can get into a state where frames within the same page are inconsistently >> assigned to agent clusters (i.e., frames in the same origin end up in >> different processes), and thus subsequent accesses within that origin may >> fail. >> >> My plan right now is to leave this on at 50% beta, but to not proceed to >> any stable releases at any percentage. I'll update this thread when I have >> a better handle on the bug and can suggest a good way to proceed. >> >> On Fri, Jan 20, 2023 at 5:12 PM Eiji Kitamura <agek...@google.com> wrote: >> >>> FYI, the enterprise bit has been added to the article. >>> https://developer.chrome.com/blog/immutable-document-domain/ >>> >>> On Tue, Jan 17, 2023 at 1:21 AM Brandon Heenan <bhee...@google.com> >>> wrote: >>> >>>> We'll make the update in the enterprise release notes too. Thanks for >>>> keeping us in the loop >>>> >>>> On Mon, Jan 16, 2023 at 9:46 AM Rick Byers <rby...@chromium.org> wrote: >>>> >>>>> Thanks so much Eiji! >>>>> >>>>> On Mon, Jan 16, 2023 at 3:06 AM Eiji Kitamura <agek...@google.com> >>>>> wrote: >>>>> >>>>>> I've updated the blog post >>>>>> <https://developer.chrome.com/blog/immutable-document-domain/> stating >>>>>> Chrome 111 is where we ship the feature, but looks like it's rolling out >>>>>> through 111 and 112? >>>>>> I'll update the blog post to mention >>>>>> `OriginAgentClusterDefaultEnabled` enterprise policy. >>>>>> >>>>>> >>>>>> On Sat, Jan 14, 2023 at 1:37 AM Rick Byers <rby...@chromium.org> >>>>>> wrote: >>>>>> >>>>>>> Thanks for the update Daniel, good luck! >>>>>>> >>>>>>> In case others, like me, have missed or forgotten the long history >>>>>>> of this difficult deprecation and what it means for web developers, >>>>>>> this blog >>>>>>> post is a good summary >>>>>>> <https://developer.chrome.com/blog/immutable-document-domain/>. One >>>>>>> critical thing it doesn't mention, but probably should, is that the >>>>>>> OriginAgentClusterDefaultEnabled >>>>>>> enterprise policy >>>>>>> <https://chromeenterprise.google/policies/#OriginAgentClusterDefaultEnabled> >>>>>>> can also be used to revert the default on managed devices (though it >>>>>>> looks >>>>>>> like the launching milestone needs to be updated there too). >>>>>>> >>>>>>> Rick >>>>>>> >>>>>>> On Fri, Jan 13, 2023 at 9:53 AM 'Daniel Vogelheim' via blink-dev < >>>>>>> blink-dev@chromium.org> wrote: >>>>>>> >>>>>>>> Hello all, >>>>>>>> >>>>>>>> We've now handled the bugs we've discovered, and I would like to >>>>>>>> make another attempt at launching. I'll follow the plan that was >>>>>>>> approved >>>>>>>> here, but two milestones later: Launch to 50% beta in M111 (or late >>>>>>>> M110, >>>>>>>> if I can still catch a bit of that release cycle), and then ramp on >>>>>>>> stable >>>>>>>> once M112 is out. >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Dec 14, 2022 at 6:36 PM Daniel Vogelheim < >>>>>>>> vogelh...@google.com> wrote: >>>>>>>> >>>>>>>>> Hello all, >>>>>>>>> >>>>>>>>> An update: Unfortunately we have discovered a bug with this >>>>>>>>> feature, just as I was getting ready to enable it. The bug also >>>>>>>>> affects >>>>>>>>> pages that have not even set document.domain. Since I have now missed >>>>>>>>> a >>>>>>>>> substantial portion of the 109 beta cycle I'd like to delay the roll >>>>>>>>> out >>>>>>>>> once more, and shift it by one milestone (or two; depending on when >>>>>>>>> everything is fixed). >>>>>>>>> >>>>>>>>> On the positive side: Recently the last of the previously >>>>>>>>> identified big document.domain users, that together accounted for >>>>>>>>> about 50% >>>>>>>>> of remaining usage, has dropped their usage. So current usage is >>>>>>>>> lower than >>>>>>>>> previously reported. See the usage dip around late November at >>>>>>>>> deprecate.it (1st graph). >>>>>>>>> >>>>>>>>> On Thu, Nov 10, 2022 at 5:42 PM Mike Taylor < >>>>>>>>> miketa...@chromium.org> wrote: >>>>>>>>> >>>>>>>>>> LGTM3 >>>>>>>>>> >>>>>>>>>> On 11/10/22 11:18 AM, Chris Harrelson wrote: >>>>>>>>>> >>>>>>>>>> LGTM2 >>>>>>>>>> >>>>>>>>>> On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108 >>>>>>>>>>> or M109, and carefully roll this out for M110, once it hits stable. >>>>>>>>>>> >>>>>>>>>>> On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim < >>>>>>>>>>> vogelh...@google.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor < >>>>>>>>>>>> miketa...@chromium.org> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hello all, >>>>>>>>>>>>> >>>>>>>>>>>>> The approval for the Intent To Ship for Origin Isolation By >>>>>>>>>>>>> Default / Deprecate document.domain >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>>>>>> asks for a separate intent for the actual default change >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>. >>>>>>>>>>>>> This is that separate intent. >>>>>>>>>>>>> >>>>>>>>>>>>> A summary of what happened so far: >>>>>>>>>>>>> >>>>>>>>>>>>> - Shipping Origin Isolation by Default (and thereby >>>>>>>>>>>>> deprecating document.domain) has security benefits, but >>>>>>>>>>>>> compatibility risk. >>>>>>>>>>>>> >>>>>>>>>>>>> - We added warnings to the developer console and issues panel, >>>>>>>>>>>>> published a blog post, and engaged in direct outreach. This has >>>>>>>>>>>>> resulted in >>>>>>>>>>>>> substantial, measurable reduction of usage. Some sites keep using >>>>>>>>>>>>> document.domain, but have mitigated the deprecation with other >>>>>>>>>>>>> means. This >>>>>>>>>>>>> makes the risk difficult to measure. >>>>>>>>>>>>> >>>>>>>>>>>>> - Sampling of sites with document.domain usage and manual >>>>>>>>>>>>> inspection yields a potential breakage estimate at ~0.015% of >>>>>>>>>>>>> page views. >>>>>>>>>>>>> >>>>>>>>>>>>> What we're asking for here is: >>>>>>>>>>>>> >>>>>>>>>>>>> - Enable the feature at 50% for beta (+ dev + canary) during >>>>>>>>>>>>> M109, as a "last call" for web site authors. >>>>>>>>>>>>> >>>>>>>>>>>>> This sounds like a good idea. Is there any reason we couldn't >>>>>>>>>>>>> go to 50% in M108 as well (or are you trying to avoid breakage >>>>>>>>>>>>> over the >>>>>>>>>>>>> winter holidays)? >>>>>>>>>>>>> >>>>>>>>>>>> No reason. I'd be happy to go to beta as soon as I receive the >>>>>>>>>>>> lgtms. I had conservatively budgeted that to be 109. :-) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Another question: do we have enterprise policies available for >>>>>>>>>>>>> this change? >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Yes; the policy is here: OriginAgentClusterDefaultEnabled >>>>>>>>>>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from >>>>>>>>>>>>> today) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> Contact emails v...@chromium.org, vogelh...@chromium.org >>>>>>>>>>>>> Specification Explainer: >>>>>>>>>>>>> https://github.com/mikewest/deprecating-document-domain HTML >>>>>>>>>>>>> Spec draft: >>>>>>>>>>>>> https://github.com/whatwg/html/compare/main...otherdaniel:dd >>>>>>>>>>>>> API spec Yes >>>>>>>>>>>>> Summary >>>>>>>>>>>>> >>>>>>>>>>>>> This is a follow-on to the Intent to Ship: Origin Isolation >>>>>>>>>>>>> By Default / Deprecate document.domain >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >>>>>>>>>>>>> We'd >>>>>>>>>>>>> like to ship this in M110, stable. >>>>>>>>>>>>> >>>>>>>>>>>>> Summary (of the underlying change) Change the default >>>>>>>>>>>>> behavior of the Origin-Agent-Cluster: header / document.domain >>>>>>>>>>>>> settability. >>>>>>>>>>>>> Presently, pages within Chromium have site-keyed agent >>>>>>>>>>>>> clusters by default, unless the Origin-Agent-Cluster: header is >>>>>>>>>>>>> explicitly >>>>>>>>>>>>> set to true. This accommodates pages or frames which want to >>>>>>>>>>>>> access each >>>>>>>>>>>>> other's state, despite being on different origins (but within a >>>>>>>>>>>>> site). This >>>>>>>>>>>>> is fine for any pages that wish to do so, but because a page >>>>>>>>>>>>> *might* set >>>>>>>>>>>>> document.domain later on, Chromium currently must use site-keyed >>>>>>>>>>>>> agent >>>>>>>>>>>>> clusters for *all* pages by default even though the overwhelming >>>>>>>>>>>>> majority >>>>>>>>>>>>> of pages do not ever make use of this (mis-)feature. In turn, >>>>>>>>>>>>> this requires >>>>>>>>>>>>> Chromium to use sites as the basis for renderer process isolation >>>>>>>>>>>>> (via Site >>>>>>>>>>>>> Isolation), which exposes origins to same-site but cross-origin >>>>>>>>>>>>> attacks >>>>>>>>>>>>> involving compromised renderer processes or the "Spectre" family >>>>>>>>>>>>> of >>>>>>>>>>>>> side-channel attacks. >>>>>>>>>>>>> This proposal changes the default behaviour of >>>>>>>>>>>>> Origin-Agent-Cluster. From a developer's point of view, the new >>>>>>>>>>>>> default >>>>>>>>>>>>> matches "Origin-Agent-Cluster: ?1". The initial implementation >>>>>>>>>>>>> will use >>>>>>>>>>>>> origin-keyed agent clusters for all (non-opted out) origins, >>>>>>>>>>>>> without >>>>>>>>>>>>> changing how many processes Chromium creates. Over time, we can >>>>>>>>>>>>> then adapt >>>>>>>>>>>>> Chromium's isolation strategy towards origin-keyed processes >>>>>>>>>>>>> without >>>>>>>>>>>>> further affecting web-visible behaviour. >>>>>>>>>>>>> The developer-visible aspect of this is that for pages with >>>>>>>>>>>>> origin-keyed agent clusters, document.domain is no longer >>>>>>>>>>>>> settable. Thus, >>>>>>>>>>>>> we have marked this intent as a deprecation. >>>>>>>>>>>>> Note that this proposal is about the default. Both modes - >>>>>>>>>>>>> site-keyed or origin-keyed agent clusters - remain available to >>>>>>>>>>>>> any site, >>>>>>>>>>>>> but origin-keyed agent clusters change from opt-in to opt-out. >>>>>>>>>>>>> The current >>>>>>>>>>>>> behaviour remains available by setting "Origin-Agent-Cluster: ?0". >>>>>>>>>>>>> Blink component Blink>SecurityFeature >>>>>>>>>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/564 >>>>>>>>>>>>> Risks: Interoperability and Compatibility >>>>>>>>>>>>> >>>>>>>>>>>>> There are compatibility risks, which we have reduced with >>>>>>>>>>>>> outreach and warnings, and we want to mitigate further by >>>>>>>>>>>>> launching at 50% >>>>>>>>>>>>> of beta first. An extended discussion of the risk (including >>>>>>>>>>>>> attempts at >>>>>>>>>>>>> quantitative assessment) can be found in the original intent >>>>>>>>>>>>> to ship >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>>> Gecko: Standards position request >>>>>>>>>>>>> <https://github.com/mozilla/standards-positions/issues/601>. >>>>>>>>>>>>> ("Worth prototyping") >>>>>>>>>>>>> >>>>>>>>>>>>> WebKit: >>>>>>>>>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html >>>>>>>>>>>>> (No signals.) >>>>>>>>>>>>> >>>>>>>>>>>>> Web developers: No signals. >>>>>>>>>>>>> >>>>>>>>>>>>> Activation - Deprecation plan >>>>>>>>>>>>> M109: Enable "Origin Agent Cluster by Default" for 50% of page >>>>>>>>>>>>> loads on beta, dev, and canary. >>>>>>>>>>>>> >>>>>>>>>>>>> M110: Enable "Origin Agent Cluster by Default" on stable. >>>>>>>>>>>>> Security This change should be security-positive, since >>>>>>>>>>>>> setting document.domain will not have any impact on the origin of >>>>>>>>>>>>> the >>>>>>>>>>>>> document any more. >>>>>>>>>>>>> Debuggability A deprecation warning has been added to >>>>>>>>>>>>> DevTools console and to the issues panel in M98. This warning >>>>>>>>>>>>> will file a >>>>>>>>>>>>> deprecation report as well using the Reporting API, if so >>>>>>>>>>>>> configured. >>>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>>>>> Yes >>>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>>> ? This is covered by Origin-keyed Agent Cluster tests >>>>>>>>>>>>> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/> >>>>>>>>>>>>> . >>>>>>>>>>>>> Tracking bug https://crbug.com/1139851 >>>>>>>>>>>>> Launch bug https://crbug.com/1246823 >>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>> https://chromestatus.com/feature/5428079583297536 >>>>>>>>>>>>> (document.domain setter deprecation) >>>>>>>>>>>>> https://chromestatus.com/features/5683766104162304 >>>>>>>>>>>>> (Origin-keyed agent clusters) >>>>>>>>>>>>> -- >>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>> it, send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com >>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Eiji Kitamura / えーじ | Developer Advocate | @agektmr >>>>>> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya >>>>>> >>>>> >>> >>> -- >>> Eiji Kitamura / えーじ | Developer Advocate | @agektmr >>> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY9gCQvrY6Rx6r_FG33RnnkDHHAkzRctJPNbtgbrRxG%2BsA%40mail.gmail.com.