Re: [blink-dev] Intent to deprecate forwarding of mdoc-scheme URLs as Android Intents

[Nicola Tommasi]

Thanks Adam for providing more info. We discussed this topic within the Web 
Platform team yesterday and the feedback was positive. Could you please 
share the deprecation plan as soon as you have more details?

Cheers,
Nicola

On Friday, March 24, 2023 at 4:59:48 PM UTC Adam Langley wrote:

> On Fri, Mar 24, 2023 at 2:45 AM Nicola Tommasi  
> wrote:
>
>> Hi Adam,
>>
>> Thanks for sending this intent. I'm trying to understand a bit more the 
>> proposed deprecation so I have a few questions for you:
>>
>> - Are these URIs already used by other APIs?If so, could you please make 
>> an example?
>>
>
> These URIs are specific to mdoc presentation. They are not a web API, they 
> are a way for sites on Android to use Chromium's ability to trigger Android 
> Intents, not to invoke the site's app, but to open an unrelated wallet app 
> that would then communicate directly with the origin server.
>
> - Do you plan to block these URIs only for the mdoc presentation API?If 
>> the API is not shipped yet, why do we need a deprecation intent?
>>
>
> These schemes aren't part of a web API. We believe that a web API is the 
> better way to expose mdocs on the web and are sending this notice early to 
> inform the ecosystem of our thinking and hopefully make an eventual 
> deprecation less impactful.
>
>
> Cheers
>
> AGL 
>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/09e97cbf-6d46-42b9-aeef-8d703393b65cn%40chromium.org.

Re: [blink-dev] Intent to deprecate forwarding of mdoc-scheme URLs as Android Intents

['Adam Langley' via blink-dev]

On Fri, Mar 24, 2023 at 2:45 AM Nicola Tommasi 
wrote:

> Hi Adam,
>
> Thanks for sending this intent. I'm trying to understand a bit more the
> proposed deprecation so I have a few questions for you:
>
> - Are these URIs already used by other APIs?If so, could you please make
> an example?
>

These URIs are specific to mdoc presentation. They are not a web API, they
are a way for sites on Android to use Chromium's ability to trigger Android
Intents, not to invoke the site's app, but to open an unrelated wallet app
that would then communicate directly with the origin server.

- Do you plan to block these URIs only for the mdoc presentation API?If the
> API is not shipped yet, why do we need a deprecation intent?
>

These schemes aren't part of a web API. We believe that a web API is the
better way to expose mdocs on the web and are sending this notice early to
inform the ecosystem of our thinking and hopefully make an eventual
deprecation less impactful.


Cheers

AGL

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLwuR_sM0LnagCtFEPWw8GJc2fPuU06iWuOZzbAqb8mg3g%40mail.gmail.com.

Re: [blink-dev] Intent to deprecate forwarding of mdoc-scheme URLs as Android Intents

[Nicola Tommasi]

Hi Adam,

Thanks for sending this intent. I'm trying to understand a bit more the 
proposed deprecation so I have a few questions for you:

- Are these URIs already used by other APIs?If so, could you please make an 
example?
- Do you plan to block these URIs only for the mdoc presentation API?If the 
API is not shipped yet, why do we need a deprecation intent?

I'm sorry if the questions may sound trivial, I just wanted to be sure to 
get the full context around this topic.

Cheers,
Nicola

On Tuesday, March 21, 2023 at 2:45:50 PM UTC Adam Langley wrote:

> On Tue, Mar 21, 2023 at 4:25 AM Yoav Weiss  wrote:
>
>> Thanks for sending this intent! :)
>>
>> It seems like you didn't use the chromestatus.com template, so a few 
>> things are missing:
>> * The title is non-standard and hence didn't get caught in our tooling
>> * What's the timeline for which you want to deprecate the use of these 
>> URI schemes? When will they be removed?
>> * A short explainer outlining what will be deprecated and removed and how 
>> developers should deal with that
>>
>
> At this point we are collecting feedback and metrics on this deprecation 
> and a more standard and concrete plan will follow from that. This is not 
> the usual way around, but we hope that by communicating earlier any impact 
> will be reduced.
>
>
> Cheers
>
> AGL
>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/86d2b49b-7110-4c0f-82e9-bef3a453809cn%40chromium.org.

Re: [blink-dev] Intent to deprecate forwarding of mdoc-scheme URLs as Android Intents

['Adam Langley' via blink-dev]

On Tue, Mar 21, 2023 at 4:25 AM Yoav Weiss  wrote:

> Thanks for sending this intent! :)
>
> It seems like you didn't use the chromestatus.com template, so a few
> things are missing:
> * The title is non-standard and hence didn't get caught in our tooling
> * What's the timeline for which you want to deprecate the use of these URI
> schemes? When will they be removed?
> * A short explainer outlining what will be deprecated and removed and how
> developers should deal with that
>

At this point we are collecting feedback and metrics on this deprecation
and a more standard and concrete plan will follow from that. This is not
the usual way around, but we hope that by communicating earlier any impact
will be reduced.


Cheers

AGL

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLxkX-u09hvH3vBE%2B1XPA%2BKQJsg3WeH887A1O0-G0Ou6ow%40mail.gmail.com.

Re: [blink-dev] Intent to deprecate forwarding of mdoc-scheme URLs as Android Intents

[Yoav Weiss]

Thanks for sending this intent! :)

It seems like you didn't use the chromestatus.com template, so a few things
are missing:
* The title is non-standard and hence didn't get caught in our tooling
* What's the timeline for which you want to deprecate the use of these URI
schemes? When will they be removed?
* A short explainer outlining what will be deprecated and removed and how
developers should deal with that



On Mon, Mar 20, 2023 at 5:50 PM 'Adam Langley' via blink-dev <
blink-dev@chromium.org> wrote:

> *Primary eng emails*
>
> a...@chromium.org, rby...@chromium.org
>
> *Summary*
>
> Creating a dedicated secure browser API for mdoc selection to replace
> mdoc-scheme URLs on Chrome and Android.
>
> *Motivation*
>
> Last month, we sent
> 
> an intent to prototype for a more secure browser API for mdoc
>  selection, which we
> believe will more safely enable mobile driver’s licenses on the web across
> multiple wallets. In addition to allowing sites to request real-world
> identity information for opening a bank account, for example, this
> dedicated API will also provide users with more transparency and control
> into what personal information is then shared with the website requesting
> it.
>
> As prototyping of the new API begins, we are considering blocking the URI
> schemes mdoc and mdoc-openid4vp from being forwarded directly to the OS
> (e.g. as Intents on Android). These schemes have been proposed as a way to
> use Chromium's support for websites opening complementary apps, to instead
> open and communicate directly with arbitrary wallet apps. We believe this
> mechanism is more prone to security risks for consumers, such as phishing
> attacks, by not providing enough information to the browser to be able to
> explain the request to the user, and that it prevents the operating system
> from mediating such requests.
>
> For similar reasons, Android is exploring a complementary, API-based
> solution, instead of supporting the URL schemes mentioned above.
>
> Like all Chromium projects, the new API will be developed in the open and
> we’ll be engaging with the developers, regulators, and industry groups for
> feedback.
>
> We are collecting feedback and metrics on this deprecation plan and will
> follow up with a bug and feature dashboard entry when pertinent.
>
> --
> You received this message because you are subscribed to the Google Groups
> "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to blink-dev+unsubscr...@chromium.org.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLycoChNiZAMB33jVCe%3DUvdrFAYkQ%3DiKH%2BXqPK-bgS2VEA%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUi5yZeJxE-Yr7HLym87Bm-8zXYY-tm23vymLWHLcPhbg%40mail.gmail.com.

[blink-dev] Intent to deprecate forwarding of mdoc-scheme URLs as Android Intents

['Adam Langley' via blink-dev]

*Primary eng emails*

a...@chromium.org, rby...@chromium.org

*Summary*

Creating a dedicated secure browser API for mdoc selection to replace
mdoc-scheme URLs on Chrome and Android.

*Motivation*

Last month, we sent

an intent to prototype for a more secure browser API for mdoc
 selection, which we
believe will more safely enable mobile driver’s licenses on the web across
multiple wallets. In addition to allowing sites to request real-world
identity information for opening a bank account, for example, this
dedicated API will also provide users with more transparency and control
into what personal information is then shared with the website requesting
it.

As prototyping of the new API begins, we are considering blocking the URI
schemes mdoc and mdoc-openid4vp from being forwarded directly to the OS
(e.g. as Intents on Android). These schemes have been proposed as a way to
use Chromium's support for websites opening complementary apps, to instead
open and communicate directly with arbitrary wallet apps. We believe this
mechanism is more prone to security risks for consumers, such as phishing
attacks, by not providing enough information to the browser to be able to
explain the request to the user, and that it prevents the operating system
from mediating such requests.

For similar reasons, Android is exploring a complementary, API-based
solution, instead of supporting the URL schemes mentioned above.

Like all Chromium projects, the new API will be developed in the open and
we’ll be engaging with the developers, regulators, and industry groups for
feedback.

We are collecting feedback and metrics on this deprecation plan and will
follow up with a bug and feature dashboard entry when pertinent.

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLycoChNiZAMB33jVCe%3DUvdrFAYkQ%3DiKH%2BXqPK-bgS2VEA%40mail.gmail.com.