As you mentioned, this is not the intended use of OTs. However, since
the feature needs IWAs to ship, and IWAs are well on track towards
shipping, I'm inclined to allow this extension. That being said, I am
hopeful that this will be the last extension to the feature.
Due to the nature of this situation, this intent will require 3 LGTMs.
LGTM1 to extend to M131 inclusive (please correct me if that's not the
intended target).
Thanks,
Vlad
On Fri, Jul 12, 2024 at 8:08 AM Simon Hangl <simo...@google.com> wrote:
Thanks for your response, Yoav. Please find my answers to your
questions below:
ad 1) “Why not CSP + trusted types instead of IWAs”: We discussed
this with Artur, who initially flagged the vulnerability here
<https://groups.google.com/a/chromium.org/g/blink-dev/c/6TRT0XsVOE4/m/Ns8mbqD7CwAJ>.
We do enforce these requirements. The API is only exposed in
contexts that meet certain requirements on client-side XSS
mitigation
<https://mikewest.github.io/injection-mitigated/#impl-csp>. These
are necessary but not sufficient, as server-side XSS remains a
meaningful risk in the absence of the packaging/signing guarantees
of IWAs. We're managing that risk during this experimental period
via Enterprise policy requirements on the one hand, and OT
registration on the other.
ad 2) “What happened between M124 and M128”: We did clarify with
the Blink owners whether we could extend the origin trial until
M136, to ensure partners can already work with the API followed by
the transition to IWAs. The origin trial accidentally was created
longer than the formal 6 milestones (see discussions here
<https://buganizer.corp.google.com/issues/295831013#comment4>),
which I realized after I applied for extension on this thread.
While we did clarify whether we can extend the origin trial with
the timelines above, I sincerely apologize for not following the
formal process.
ad 3) “Progress towards shipping”: We acknowledge that with our
approach we went beyond the intent of an origin trial. We did
however check in advance with the Blink owners whether we could
follow this approach due to exceptional circumstances in order to
*
get this API into the hands of selected web developers and
*
timebox the temporary solution through origin trial to make
sure this API does not remain on the drive-by web.
The origin trial is essential to keep current developer momentum
and grant enough time for the selected developers to prepare the
API launch in context of IWA
<https://docs.google.com/document/d/1XB8rQRnY5N8G2PeEcNJpVO0q22CutvwW8GGKCZ1z_vc/edit#bookmark=kix.fusm752shry9>.
Good evidence for progress towards shipping can be seen by the
multitude of IWA related work to prepare the upcoming launch (IWA
Launch <https://chromestatus.com/feature/5146307550248960>).
I hope to have answered your questions sufficiently. Please let me
know if you have any further concerns or follow-up questions.
On Thursday, July 11, 2024 at 7:45:24 PM UTC+2 Reilly Grant wrote:
CSP and Trusted Types give you protections against XSS but
only the bundling provided by IWAs provides the protection
against server compromise that Chrome Security is asking for
for this API.
Shipping this API in its final form has been blocked on IWAs
being ready to launch (which is imminent).
Reilly Grant | Software Engineer |rei...@chromium.org |Google
Chrome <https://www.google.com/chrome>
On Wed, Jul 10, 2024 at 9:58 AM Yoav Weiss (@Shopify)
<yoav...@chromium.org> wrote:
A few things trouble me here.
* Dependency injection
o The initial intent
<https://groups.google.com/a/chromium.org/g/blink-dev/c/6TRT0XsVOE4/m/NOm-YEQCAgAJ?utm_medium=email&utm_source=footer>
indicated
dependency on Enterprise Policy, rather than IWAs.
o I see some reasoning for the new dependency in the
design doc's security considerations
<https://docs.google.com/document/d/1XB8rQRnY5N8G2PeEcNJpVO0q22CutvwW8GGKCZ1z_vc/edit#heading=h.y7pqwic3b7ga>,
but it seems incomplete
+ e.g. why couldn't you enforce CSP and
TrustedTypes as a requirement for this
regardless of IWA? How does bundling help when
allowing one app to leak information from
others? Wasn't there controls in place
limiting the origins that can do that as part
of the Enterprise Policy?
+ I may be missing context as a lot of the
links in that doc are still Google-only
* Timelines
o The initial trial went from 118 to 124.
o On this thread I see you started by asking for an
extension from 124 to 130, and then switched to
asking for 129 to 132.
o At the same time, I don't believe the OT was put
on hold when 124 was released.
o *What happened between M124 and M128?*
* Progress towards shipping
o On top of that, no evidence of substantial
progress towards shipping was demonstrated. Again,
the design doc still contains many Google-only
links, so I may be missing context here, but this
section
<https://docs.google.com/document/d/1XB8rQRnY5N8G2PeEcNJpVO0q22CutvwW8GGKCZ1z_vc/edit#heading=h.6yk3lvg6gurf>
feels
very much like a soft launch. The Origin Trial
risks
<https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/explainer.md#:~:text=And%20when%20considering,security%20is%20maintained.>
we
are trying to avoid don't seem to have been
carefully considered.
Putting all this together, I don't think we should renew
the current trial.
On Wednesday, June 26, 2024 at 6:18:45 PM UTC+2 Simon
Hangl wrote:
Oops, upon friendly clarification from a colleague I
realized that your comment was probably about making
the doc visible to everyone :) . I updated the doc
permissions now.
On Wednesday, June 26, 2024 at 10:43:35 AM UTC+2 Simon
Hangl wrote:
@Daniel, thanks for your questions / comments. We
intend to make getAllScreensMedia available for
everybody once isolated web apps launch (we are
asking to extend the origin trial to already gain
insights on the API before isolated web apps
launch - see also the "Short term solution until
IWAs are available" section in the design doc).
This also brings me to the 2nd part of your
question: we made significant progress towards
isolated web apps (we are mostly code complete and
the intent to launch will be submitted within the
next 1-3 milestones).
On Tuesday, June 25, 2024 at 7:48:07 PM UTC+2
Daniel Bratell wrote:
Any reason to not make it available for
everyone? Asking for a friend.
Another thing, when extending experiments we
want to see evidence of substantial progress
on the feature so that it doesn't just roll
along until it's burned in by pure inertia.
Could you please tell us about the progress
since the last extension?
/Daniel
On 2024-06-19 16:42, 'Simon Hangl' via
blink-dev wrote:
Apologies for the delay. We'd like to ask for
an extension of the origin trial from M129 to
M132.
@Yoav, I made the design doc available for
all chromium accounts here
<https://docs.google.com/document/d/1XB8rQRnY5N8G2PeEcNJpVO0q22CutvwW8GGKCZ1z_vc/edit?usp=sharing>.
@Vladimir, we are on track with isolated web
apps and an intent to ship will be submitted
in the next milestones.
On Thursday, March 21, 2024 at 4:38:49 PM
UTC+1 Vladimir Levin wrote:
On Mon, Mar 18, 2024 at 11:17 AM 'Simon
Hangl' via blink-dev
<blin...@chromium.org> wrote:
Hello blink-dev,
We’d like to ask for an extension to
our Origin Trial, from M124 to M130.
This is due to a dependency on
isolated web apps, which are delayed.
The intent process only allows extensions
of 3 milestones at a time. It also
requires evidence of substantial progress
on the feature. It sounds like here, the
original experiment did not go as planned
due to a dependency. Do you know if the
isolated web apps feature is ready now?
In other words, is this dependency
satisfied?
Contact emails
sim...@google.com
Explainer
https://github.com/screen-share/capture-all-screens/blob/main/README.md
<https://github.com/screen-share/capture-all-screens/blob/main/README.md>
Specification
https://screen-share.github.io/capture-all-screens
<https://screen-share.github.io/capture-all-screens>
Design docs
https://screen-share.github.io/capture-all-screens
<https://screen-share.github.io/capture-all-screens>
https://github.com/screen-share/capture-all-screens/blob/main/README.md
<https://github.com/screen-share/capture-all-screens/blob/main/README.md>
https://docs.google.com/document/d/13el0NriAUpAzLUw96V7zQiMSjgH9zVaTXUHtuaq8-HI/edit?resourcekey=0-jRPpeLth1odq6M5iFLswig
Summary
Capture all the screens currently
connected to the device using
getAllScreensMedia(). Calling
getDisplayMedia() multiple times
requires multiple user gestures,
burdens the user with choosing the
next screen each time, and does not
guarantee to the app that all the
screens were selected.
getAllScreensMedia() improves on all
of these fronts. (As this feature has
extreme privacy ramifications, it is
only exposed behind an enterprise
policy, and users are warned before
recording even starts, that recording
*could* start at some point.)
Blink component
Blink>GetDisplayMediaSet
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EGetDisplayMediaSet>
TAG review
https://github.com/w3ctag/design-reviews/issues/856
TAG review status
Complete
Chromium Trial Name
GetAllScreensMedia
Link to origin trial feedback
summary
https://github.com/screen-share/capture-all-screens/issues
Origin Trial documentation link
https://github.com/screen-share/capture-all-screens
Risks
Interoperability and
Compatibility
This API is only available to origins
allowlisted by administrators through
a policy. The policy itself is
non-standard, limiting even
theoretical interoperability.This API
rejects requests from pages that are
not allow-listed through an
administrator. The likelihood of this
API being adopted by a browser that
does not provide administrators
mechanisms to manage clients is low.
Gecko: N/A
WebKit: N/A
Web developers: Positive
(https://github.com/screen-share/capture-all-screens/issues/9
<https://github.com/screen-share/capture-all-screens/issues/9>)
Other signals:
Ergonomics
No
Activation
The challenge for developers is the
limitation of the API to origins
allowlisted by an enterprise policy.
Security
1. Risk of malicious sites
exploiting the API and
gaining access to sensitive
information on users'
devices. This risk is
mitigated by the API only
being accessible to origins
allowlisted by an enterprise
policy.
2. Risk of users loading
private information that gets
recorded and made available
to apps affiliated with their
device's admin. This risk is
mitigated by informing users
that recording might start at
any moment before the API
becomes accessible. (In CrOS,
this warning is delivered in
the log-in screen, and when
users log-in despite the
warning, this is tantamount
to assent.)
3. Risk of users forgetting
that their screens are being
recorded. This risk is
mitigated through a
persistent notification.
Goals for experimentation
Learn about the experience of web
developers and how this API fulfills
their needs.
Reason this experiment is
being extended
This API will eventually be released
for isolated contexts, which are
delayed. Hence, we are asking for an
extension of the origin trial.
Will this feature be
supported on all six Blink
platforms (Windows, Mac,
Linux, ChromeOS, Android, and
Android WebView)?
No
This API is initially implemented on
CrOS, where demand for it is
greatest, and where we have the most
flexibility in offering users early
warning that their screens may be
recorded if they proceed past the
log-in screen. Lessons learned from
shipping this API on CrOS will be
used when deciding how to correctly
implement such warnings on other
platforms.
Is this feature fully tested
by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No, as WPTs don’t support setting of
managed policies. The API is tested
by a number of unit- and browser-
tests (Test files
<https://source.chromium.org/search?q=getallscreensmedia%20f:test.cc%20-f:out%2F&sq=>).
DevTrial instructions
https://github.com/screen-share/capture-all-screens/blob/main/HOWTO.md
<https://github.com/screen-share/capture-all-screens/blob/main/HOWTO.md>
Flag name on chrome://flags
enable-get-all-screens-media
Finch feature name
None
Non-finch justification
None
Requires code in //chrome?
True
Tracking bug
https://issues.chromium.org/issues/40216442
<https://issues.chromium.org/issues/40216442>
Launch bug
https://launch.corp.google.com/launch/4201060
<https://launch.corp.google.com/launch/4201060>
Estimated milestones
Origin trial desktop first
118
Origin trial desktop last
124
Origin trial extension 1 end milestone
130
DevTrial on desktop
116
Link to entry on the Chrome
Platform Status
https://chromestatus.com/feature/6284029979525120
<https://chromestatus.com/feature/6284029979525120>
Links to previous Intent
discussions
Intent to prototype:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEdDZo9N354i6eST0x19TXwpeBtgs5_gJUYVF%2BTKLpiJySDADg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEdDZo9N354i6eST0x19TXwpeBtgs5_gJUYVF%2BTKLpiJySDADg%40mail.gmail.com>
Intent to Experiment:
https://groups.google.com/a/chromium.org/g/blink-dev/c/6TRT0XsVOE4/m/NOm-YEQCAgAJ
<https://groups.google.com/a/chromium.org/g/blink-dev/c/6TRT0XsVOE4/m/NOm-YEQCAgAJ>
--
You received this message because you
are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and
stop receiving emails from it, send
an email to blink-dev+...@chromium.org.
To view this discussion on the web
visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAP0TkgF1BfhsLRadATibKed4vQUoV8_PqA_xUUZdXSSFcGZW%2Bw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAP0TkgF1BfhsLRadATibKed4vQUoV8_PqA_xUUZdXSSFcGZW%2Bw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are
subscribed to the Google Groups "blink-dev"
group.
To unsubscribe from this group and stop
receiving emails from it, send an email to
blink-dev+...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dad681d8-8adb-4530-bf59-3604c8bc5047n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dad681d8-8adb-4530-bf59-3604c8bc5047n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6aee109d-77a7-4a01-b4d9-3fcbb4e06b36n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6aee109d-77a7-4a01-b4d9-3fcbb4e06b36n%40chromium.org?utm_medium=email&utm_source=footer>.