Contact [email protected] ExplainerNone
Specificationhttps://datatracker.ietf.org/doc/rfc9163 Summary Expect-CT is an HTTP header that allowed websites to opt in to Certificate Transparency enforcement before it was enforced by default. It also has reporting functionality to help developers discover CT misconfigurations. Blink componentInternals>Network>DomainSecurityPolicy <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3EDomainSecurityPolicy> Motivation Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern. Initial public proposal https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ TAG reviewn/a TAG review statusNot applicable Risks Interoperability and Compatibility No other browser has implemented Expect-CT or given signals that they intend to (to my knowledge). Expect-CT is not user-visible so removing the feature has no compatibility risk. Developers who are currently sending the header should stop doing so just to save the bytes on the wire. While the header is served on a large percent of requests (~6%), this is likely due to a small number of large providers that can be informed of the deprecation via 1:1 outreach. As described above, the header serves no security value any longer, removing it will have no user-visible effects, and the header provides extremely minimal debugging value to developers since developers are no longer responsible for serving their own CT information (100.00% of requests serve CT information directly embedded in the certificate, which developers are not responsible for configuring). *Gecko*: No signal *WebKit*: No signal *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? Debuggability We'll add a console message informing developers that the header will/has no effect and they should remove it. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Flag name Requires code in //chrome?False Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/6244547273687040 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com.
