Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

At this morning's API Owners meeting, they asked me to add all review gate types to all of the "web developer facing code change" features that are currently under review, including this one. So, I have added Privacy, Security, Enterprise, Debuggability, and Testing gates to your feature entry

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

There is an ongoing conversation with Mozilla and Safari for the coordinated removal of wildcard support for ACAH. Firefox has this implemented behind a flag, same as we do, and we are waiting for Safari's plans at this point. On Thu, Jul 20,

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Any updates on this? :) On Wed, May 24, 2023 at 10:48 AM Javier Garcia Visiedo wrote: > I was targeting M116, which is aligned with what Firefox indicated. > However, other browsers are yet to confirm their timeline, and they have > indicated they might need more time, which makes 116 unrealisti

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

I was targeting M116, which is aligned with what Firefox indicated. However, other browsers are yet to confirm their timeline, and they have indicated they might need more time, which makes 116 unrealistic if we want to get other browsers in addition to Firefox onboard. Regarding the outreach plan

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

I'd be supportive of a coordinated change, given that popular 3P outreach was successful, and 1P use is unlikely to result in user visible breakage. What's the timeline you have in mind? What's the outreach plan to make developers aware of this upcoming change? On Tuesday, May 16, 2023 at 7:03:3

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Yes, I've got a positive response from the two 3P APIs (relatively popular). One case is already solved and in production, the second one, responsible for a huge increase on the UKM entries from February - March is solved and testing right now. However, I believe we still want to coordinate the l

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

> > For these visual elements, are there any common threads that you could > notice? E.g. Any common 3P providers? > In all cases I've seen, these are 1P requests of the form https://foo.example to https://api.foo.example/api/v1/blah. I've not found many sites with these visual element impacts, s

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

On Wed, Mar 29, 2023 at 11:01 AM Yoav Weiss wrote: > > > On Wed, Mar 29, 2023 at 10:32 AM Javier Garcia Visiedo < > visi...@chromium.org> wrote: > >> Thank you for your quick reply Yoav, >> >> Please find my answers inline. >> >> >> On Wednesday, March 29, 2023 at 4:35:32 PM UTC+9 Yoav Weiss wrot

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

On Wed, Mar 29, 2023 at 10:32 AM Javier Garcia Visiedo wrote: > Thank you for your quick reply Yoav, > > Please find my answers inline. > > > On Wednesday, March 29, 2023 at 4:35:32 PM UTC+9 Yoav Weiss wrote: > > Thank you so much, Javier! :) That's some great analysis! > > On Wed, Mar 29, 2023 a

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Thank you for your quick reply Yoav, Please find my answers inline. On Wednesday, March 29, 2023 at 4:35:32 PM UTC+9 Yoav Weiss wrote: Thank you so much, Javier! :) That's some great analysis! On Wed, Mar 29, 2023 at 7:51 AM Javier Garcia Visiedo wrote: Hi all, Please find the summary of m

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Thank you so much, Javier! :) That's some great analysis! On Wed, Mar 29, 2023 at 7:51 AM Javier Garcia Visiedo wrote: > Hi all, > > Please find the summary of my findings, after analyzing the UKM data. > > Currently, the UKM data shows 2,087 distinct domains (eTLD+1) sending a > wildcard for AC

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Hi all, Please find the summary of my findings, after analyzing the UKM data. Currently, the UKM data shows 2,087 distinct domains (eTLD+1) sending a wildcard for ACAH and/or ACAO in response to a credentialled request. The UKM data is not good at showing events over time, but the use counter

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Hey Javier! The benefits of UKM is that it can give us a list of URLs that have some breakage potential. The laternative is to cross the usecounter with HTTPArchive data, but that has a strong bias towards homepages, so may miss a lot of pages that require a login and are not the homepage. With a

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Hi, I'm taking over this issue, currently writing the UKM collection review document. IIUC the ask is to opt in the existing use counter for the feature into a UKM. I was wondering (and sorry for the naive question) what would

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Hi, I am starting a UKM collection review to opt in the existing use counter into an UKM. Sorry if my question is too naive, I just wanted to understand what benefits would the UKM add over the existing use counter? Or is it the

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Hi, just checking in on this intent. From the API owners' perspective, we're going to wait for the UKM, thanks. On Wed, Jan 12, 2022 at 7:41 AM Yutaka Hirano wrote: > Hi Yoav, > > Thank you for the suggestions. I'll try to add UKM. > > > One other question that came up: Is the usage related to d

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Hi Yoav, Thank you for the suggestions. I'll try to add UKM. > One other question that came up: Is the usage related to developers adding the "Authorization" header on their own, or is it something the browser sends under certain circumstances? (e.g. when receiving 401 responses with "WWW-Autenti

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Hey Yutaka! We discussed this at the API owners meeting today (Daniel, Chris, Alex, MikeT and myself). It seems like the risk here is too high to remove support as is, and a reasonable next step may be to add the metric to UKM and get a more detailed view of which sites are using it and how. Th

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

We've been showing a deprecation message since 94 . Sadly the deprecation message hasn't decreased the usage so far. On Thu, Dec 9, 2021 at 1:52 AM Mike West wrote: > From my perspective, it's a bit worrying that y

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

>From my perspective, it's a bit worrying that you found user-visible breakage in a random sampling of the otherwise small number of sites that fall into this category. As Yoav suggested, there's some additional likelihood that we're not seeing some breakage that requires sign-in. It might be w

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

On Thu, Dec 2, 2021 at 12:29 AM Yoav Weiss wrote: > > > On Wed, Dec 1, 2021 at 4:00 PM Yutaka Hirano wrote: > >> Sorry for the delay! >> >> I checked 10 sites. I saw console errors in three sites among them: >> 1. https://cchatty.com/ >> 2. https://techrxiv.org/ >> 3. https://bodyshake.com/ >

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

On Wed, Dec 1, 2021 at 4:00 PM Yutaka Hirano wrote: > Sorry for the delay! > > I checked 10 sites. I saw console errors in three sites among them: > 1. https://cchatty.com/ > 2. https://techrxiv.org/ > 3. https://bodyshake.com/ > > I only see a visible breakage in 1 (cards in the main panel ar

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Sorry for the delay! I checked 10 sites. I saw console errors in three sites among them: 1. https://cchatty.com/ 2. https://techrxiv.org/ 3. https://bodyshake.com/ I only see a visible breakage in 1 (cards in the main panel are invisible). On other sites I don't see any visible differences. Pl

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Friendly ping on Chris' question On Thursday, November 4, 2021 at 8:31:36 PM UTC+1 Chris Harrelson wrote: > Would it be feasible to get a random list of 10-20 sites that hit the use > counter and see if they are broken badly by this feature? > > On Thu, Nov 4, 2021 at 4:54 AM Yutaka Hirano wrot

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Would it be feasible to get a random list of 10-20 sites that hit the use counter and see if they are broken badly by this feature? On Thu, Nov 4, 2021 at 4:54 AM Yutaka Hirano wrote: > (friendly ping) > > On Mon, Nov 1, 2021 at 1:57 PM Yutaka Hirano wrote: > >> Thank you for the feedback. >> >

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

(friendly ping) On Mon, Nov 1, 2021 at 1:57 PM Yutaka Hirano wrote: > Thank you for the feedback. > > Do you have concrete steps for the investigation in your mind? > > On Fri, Oct 29, 2021 at 4:30 AM Mike West wrote: > >> I think it's reasonable for us to dig into the data a little bit to >> d

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

Thank you for the feedback. Do you have concrete steps for the investigation in your mind? On Fri, Oct 29, 2021 at 4:30 AM Mike West wrote: > I think it's reasonable for us to dig into the data a little bit to > determine whether the 0.04% number quoted above will result in user-facing > breaka

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

I think it's reasonable for us to dig into the data a little bit to determine whether the 0.04% number quoted above will result in user-facing breakage. Yutaka, is that something you'd be willing to dig into? The direction seems philosophically correct to me, so I'd like to see it ship, but I'd al

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

On Thu, Oct 21, 2021 at 6:25 PM Yoav Weiss wrote: > > > On Thu, Oct 21, 2021 at 9:55 AM Yutaka Hirano > wrote: > >> (The implementation CL >> is >> under review. This intent is written as if it's landed.) >> >> Contact emailsyhi

Re: [blink-dev] Intent to Ship: CORS non-wildcard request-header

On Thu, Oct 21, 2021 at 9:55 AM Yutaka Hirano wrote: > (The implementation CL > is > under review. This intent is written as if it's landed.) > > Contact emailsyhir...@chromium.org > > Specification > https://fetch.spec.whatwg.or

[blink-dev] Intent to Ship: CORS non-wildcard request-header

(The implementation CL is under review. This intent is written as if it's landed.) Contact emailsyhir...@chromium.org Specification https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name Summary A CORS non-wildcar