https://sqlite.org/releaselog/3_44_0.html
Recently, SQLite released version 3.44.0, introducing a series of security-related enhancements and improvements. Given the critical role of SQLite in Chrome's infrastructure, I would like to draw your attention to some security benefits associated with upgrading to this latest version: SQLite_DBCONFIG_DEFENSIVE Enhancement: The SQLITE_DBCONFIG_DEFENSIVE setting now prevents the PRAGMA writable_schema from being turned on. This eliminates the potential risk associated with writable_schema and enhances the overall defensive posture of SQLite. Innocuous Tagging of Virtual Tables: The built-in FTS3, FTS4, FTS5, RTREE, and GEOPOLY virtual tables are now tagged as SQLITE_VTAB_INNOCUOUS. This allows their usage inside triggers in high-security deployments, ensuring compatibility without compromising security. ggggGG Run-time Detection of Hardware Support: SQLite now performs run-time detection of whether the underlying hardware supports "long double" with precision greater than "double." This adaptive approach ensures that appropriate floating-point routines are used based on the hardware capabilities, mitigating potential vulnerabilities. PRAGMA case_sensitive_like Deprecation: The deprecation of the PRAGMA case_sensitive_like statement addresses potential issues related to database corruption when the schema contains LIKE operators. By discontinuing its use, potential security concerns are proactively mitigated. Considering the security improvements and advancements outlined above, I would like to advocate for the careful consideration of upgrading SQLite in Chrome to version 3.44.0. This update not only introduces new features but also strengthens the security posture of the SQLite integration within the Chrome environment. On Saturday, February 11, 2023 at 12:34:23 AM UTC+8 Alfonso Ochoa Legorreta wrote: > > Hi, I'm from Mexico and I have an android app created with the Sencha > Touch framework and I use WebSQL for now everything is going great. My > question is, will I also be affected by these changes? > El jueves, 9 de febrero de 2023 a las 10:23:14 UTC-6, Randy Lauen escribió: > >> Hi Ben, >> >> I think that's what I'll experiment with first. I was hoping someone else >> had traveled this road already and had some advice. My tentative plan for >> migrating is to copy the WebSQL data to SQLite, but keep both >> implementations running side by side for a while. If anything goes wrong, >> users could switch back to WebSQL, at least for a while. I'm at the very >> early stages of figuring out the new SQLite API, though, so there's a long >> way to go. >> >> I don't know of any other extensions using WebSQL. The name of my >> extension is History Trends Unlimited (Thomas asked about this earlier in >> the thread). I created it 10 years ago, even though WebSQL was already >> deprecated at that point. I figured the extension would eventually die when >> WebSQL was removed; I'm very happy that there's a path forward now. Many >> thanks to all those involved. >> >> --Randy >> >> >> On Wed, Feb 8, 2023 at 6:05 PM Ben Morss <mo...@google.com> wrote: >> >>> *Carl*, the signs are promising for other browsers to implement all the >>> APIs needed to run SQLite-over-Wasm. I'm optimistic! >>> >>> *Randy*, how hard would it be to implement something that read user >>> data from Web SQL and wrote it into a parallel table structure in SQLite? >>> Both of these will coexist in Chromium for some time. >>> >>> Let us know how this goes, if you could. I'd also like to be aware of >>> other extensions out there that might be using Web SQL and could have >>> missed our announcements.... >>> >>> >>> On Thu, Feb 2, 2023 at 6:13 PM Carl Turechek <carltu...@gmail.com> >>> wrote: >>> >>>> One more question is whether that will work on all browsers.. that >>>> could at least be considered as an improvement. Also, I'm subbed to this >>>> convo and haven't seen any notifications anywhere... Is it supposed to >>>> email me? >>>> >>>> On Wednesday, February 1, 2023 at 6:50:35 AM UTC-5 tste...@google.com >>>> wrote: >>>> >>>>> Hey Randy, >>>>> >>>>> On Tue, Jan 31, 2023 at 10:51 PM Randy Lauen <randy...@gmail.com> >>>>> wrote: >>>>> >>>>>> Speaking of nontrivial examples, I have a Chrome extension that >>>>>> relies heavily on WebSQL. On my desktop, the WebSQL database for my >>>>>> extension is almost 400 MB. I know some users have a database over 1 GB. >>>>>> I'm very excited about using Wasm SQLite, since I can (hopefully) >>>>>> configure >>>>>> SQLite the way I want, instead of being stuck with the configuration >>>>>> used >>>>>> by Chrome. >>>>> >>>>> >>>>> Very exciting. Do you mind sharing the name of the extension? >>>>> >>>>> >>>>>> What I'm not looking forward to, though, is the transition. Do you >>>>>> have any advice on migrating data from WebSQL to Wasm SQLite? My best >>>>>> guess >>>>>> so far is to have users use my extension's import/export mechanism to >>>>>> export all of their WebSQL data to a file and then import it back into >>>>>> Wasm >>>>>> SQLite. >>>>>> >>>>> >>>>> Asking users to manually export their database file from Web SQL via >>>>> your extension's export feature and then importing to SQLite is probably >>>>> the easiest way, yes. >>>>> >>>>> >>>>>> Also, with WebSQL, I can locate the SQLite database on disk within >>>>>> Chrome's profile directory. Will that be possible with Wasm SQLite/OPFS? >>>>>> >>>>> >>>>> As a developer, you can use the OPFS Explorer extension ( >>>>> https://chrome.google.com/webstore/detail/opfs-explorer/acndjpgkpaclldomagafnognkcgjignd) >>>>> >>>>> to do so. >>>>> >>>>> >>>>>> Finally, between manifest v3 and WebSQL deprecation, my extension >>>>>> will need a lot of changes this year. If it's possible to stagger the >>>>>> deadlines for those, so I don't have to tackle both at the same time, >>>>>> then >>>>>> that gets my vote! >>>>>> >>>>> >>>>> The manifest v3 deadline is unrelated to this deprecation deadline. >>>>> You can express your concerns about the extensions deadline on their >>>>> forum: >>>>> https://groups.google.com/a/chromium.org/g/chromium-extensions. >>>>> >>>>> Cheers, >>>>> Tom >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b67dc13e-9064-4574-ba4d-5729e315c24fn%40chromium.org.
