Hello Reilly, colleagues, I replied to #11 in the thread and made a small pull request to the explainer (directory id promise can also resolve as undefined).
For #6 I will replace 'trusted' applications with 'managed' applications tomorrow. But I'm trying to figure out what to do with the others. #1 was addressed previously. There is a section "What are trusted applications" that explains it. Is there something else I should specify? For Jeffrey's question in #2: "I think ChromeOS has decided to give the user notice when these APIs are enabled. Can you add example screenshots to the explainer, and possibly the specification, to illustrate that privacy solution?" I checked the implementation in the chromium code and I don't see any triggers for a notification. Current decision with the privacy team is that device attributes will only return valid results if called in a force installed app (including kiosk) *and* the origin is listed in DeviceAttributesAllowedForOrigins policy. These are implementation details. Should I still add them to the explainer? As an impl example section? Best, Sergii On Thu, Jul 20, 2023 at 7:56 PM Reilly Grant <reil...@chromium.org> wrote: > Sergii, thank you for adding some discussion of design alternatives in > WICG/WebApiDevice#20 <https://github.com/WICG/WebApiDevice/pull/20>. > Please also update the explainer to address the following issues: > > - WICG/WebApiDevice#1 <https://github.com/WICG/WebApiDevice/issues/1> > - WICG/WebApiDevice#2 <https://github.com/WICG/WebApiDevice/issues/2> > - WICG/WebApiDevice#6 <https://github.com/WICG/WebApiDevice/issues/6> > - WICG/WebApiDevice#11 <https://github.com/WICG/WebApiDevice/issues/11> > > WICG/WebApiDevice#11 <https://github.com/WICG/WebApiDevice/issues/11> in > particular seems to align with Mike's original question. > Reilly Grant | Software Engineer | reil...@chromium.org | Google Chrome > <https://www.google.com/chrome> > > > On Wed, Jul 5, 2023 at 9:29 AM Mike Taylor <miketa...@chromium.org> wrote: > >> On 7/4/23 5:35 AM, 'Sergii Bykov' via blink-dev wrote: >> >> Contact emails sby...@google.com >> >> Explainer >> https://github.com/Ananubis/WebApiDevice/blob/master/Explainer.md >> >> I see that getAnnotatedAssetId(), getAnnotatedLocation(), >> getDirectoryId(), and getSerialNumber() are all defined as uniquely >> identifying a device. Forgive my ignorance, but can you expand on the use >> cases for each of these unique IDs in the explainer (and why there are so >> many of them)? >> >> >> >> Specification https://wicg.github.io/WebApiDevice/device_attributes >> >> Summary >> >> Device Attributes Web API is a subset of Managed Device Web API, that >> provides web applications the capability to query device information >> (device ID, serial number, location, etc). >> >> >> Blink component Blink >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> >> >> TAG review https://github.com/w3ctag/design-reviews/issues/606 There was >> no indication of implementation support from browsers other than Chrome. >> And reviewers were concerned by the risk of pervasive monitoring of >> employees. Privacy concerns were addressed in 'Permission control' and >> 'privacy consideration' paragraphs of the spec. But TAG reviewers didn't >> endorse adding this as a general mechanism to the Web platform. >> >> TAG review status Issues addressed >> >> Risks >> >> >> Interoperability and Compatibility >> >> navigator.managed object includes managed configuration and this device >> attributes API. These APIs only work in managed applications and return an >> error in other contexts. Thus navigator.managed exposure may be reduced in >> the future to managed environments only. This will be done as a separate >> chrome feature and after an investigation with usage counters. >> >> Can you clarify what you intend to ship vs "exposure may be reduced in >> the future"? Mozilla had a good suggestion >> <https://github.com/mozilla/standards-positions/issues/815#issuecomment-1593801419>, >> but it's not clear to me if it's being incorporated or not. >> >> >> >> *Gecko*: Neutral ( >> https://github.com/mozilla/standards-positions/issues/815) Mozilla >> decided not to take a position. Also suggested to limit the exposure (see >> proposal in Interoperability and Compatibility). >> >> *WebKit*: Neutral ( >> https://github.com/WebKit/standards-positions/issues/198) Mixed signals >> from WebKit. Offering to leave it as an extension API or do not expose it >> everywhere. Exposure addressed in Interoperability and Compatibility >> >> *Web developers*: Positive (https://github.com/WICG/proposals/issues/14) >> Web developers request this API as they migrate from deprecated ChromeApps >> to PWAs >> >> *Other signals*: >> >> Ergonomics >> >> Frequently used with managed configuration. No performance risks. >> >> >> Activation >> >> No activation challenges for developers. API is straighforward to use. >> ChromeOS Admins will need to set up the force-installed or kiosk app and >> the allowlist policy correctly. >> >> >> Security >> >> Please see 'Permission control' and 'privacy consideration' paragraphs in >> the API spec. >> >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> This feature does not deprecate or change behavior of existing APIs. >> >> >> Debuggability >> >> Verified that all five new methods show up in the DevTools Console >> autocomplete functionality. >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)? No >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? No >> >> DevTrial instructions >> https://github.com/WICG/WebApiDevice/blob/main/README.md >> >> Flag name on chrome://flags enable-restricted-web-apis >> >> Finch feature name >> >> Non-finch justification None >> >> Requires code in //chrome? False >> >> Tracking bug >> https://bugs.chromium.org/p/chromium/issues/detail?id=1132865 >> >> Launch bug https://bugs.chromium.org/p/chromium/issues/detail?id=1217848 >> >> Availability expectation Feature is available only in ChromeOS (Ash and >> Lacros) browsers for the foreseeable future. >> >> Adoption expectation Feature will be used by Web App developers for >> Kiosk and other managed apps on ChromeOS as a part of migration from >> ChromeApps to PWAs within 12 months of launch in Chrome. >> >> Adoption plan A new setting in dpanel kiosk settings will allow admins >> of managed chrome to configure 'trusted' apps access to API usage via >> existing policy 'DeviceAttributesAllowedForOrigins'. This setting will be >> enabled for trusted testers end of Q2 2023. >> >> Non-OSS dependencies >> >> Does the feature depend on any code or APIs outside the Chromium open >> source repository and its open-source dependencies to function? >> Yes. Policy for managed devices is used to control apps that can access >> this API. For example, after the launch >> navigator.managed.getAnnotatedAssetId will be defined for 'trusted' origins >> (kiosk or force-installed web app), but it will return an error if origin >> is not allowlisted in 'DeviceAttributesAllowedForOrigins' policy. >> >> Sample links >> https://github.com/WICG/WebApiDevice/blob/master/README.md >> >> Estimated milestones >> Shipping on desktop 117 >> OriginTrial desktop last 98 >> OriginTrial desktop first 93 >> OriginTrial Android last 98 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> Spec changes are not expected in the near future. Current spec is >> consistent with a similar extension API. >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5694001745231872 >> >> Links to previous Intent discussions Intent to prototype: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/oYRwgx8SwTA/m/OTfKKCMZBQAJ >> Intent >> to Experiment: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/dJQgwZ_1jk0/m/eo5aXO8eAgAJ >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> >> Sergii Bykov >> >> Software Engineer >> >> sby...@google.com +49 174 2575015 <+49%20174%202575015> >> >> Google Germany GmbH >> >> Erika-Mann-Straße 33 >> >> 80636 München >> >> Geschäftsführer: Paul Manicle, Liana Sebastian >> >> Registergericht und -nummer: Hamburg, HRB 86891 >> >> Sitz der Gesellschaft: Hamburg >> >> Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise erhalten >> haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, >> löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, >> dass die E-Mail an die falsche Person gesendet wurde. >> >> >> >> This e-mail is confidential. If you received this communication by >> mistake, please don't forward it to anyone else, please erase all copies >> and attachments, and please let me know that it has gone to the wrong >> person. >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEBayjL7AyE-m7A90NxnKbsXUtqreD7GNH5qWSy4ydSpv3_4AQ%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEBayjL7AyE-m7A90NxnKbsXUtqreD7GNH5qWSy4ydSpv3_4AQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c6761cdc-aadb-ca8a-6dae-95a4f34f0043%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c6761cdc-aadb-ca8a-6dae-95a4f34f0043%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEBayjL_vFtQRu8RWovW%2BwNsJXTR2V7f7BsJ3qNNGZe2Wvb4tw%40mail.gmail.com.
