LGTM3
On 7/11/22 8:08 AM, Mike West wrote:
LTGM2. Good luck with the removal.
-mike
On Fri, Jul 8, 2022 at 6:44 PM Yoav Weiss <[email protected]> wrote:
LGTM1 to deprecate and remove.
Please roll out the removal carefully. I'd similarly be surprised
if the removal causes breakage, but I have been surprised before,
so.. :)
On Fri, Jul 8, 2022 at 6:41 PM Emily Stark <[email protected]>
wrote:
On Fri, Jul 8, 2022 at 9:34 AM Yoav Weiss
<[email protected]> wrote:
What deprecation/removal timelines did you have in mind?
Since there's no user-visible impact, I was hoping to do a
console message in M105 and then remove in M106.
On Fri, Jul 8, 2022 at 6:31 PM Emily Stark
<[email protected]> wrote:
Contact emails
[email protected]
Explainer
None
Specification
https://datatracker.ietf.org/doc/rfc9163
Summary
Expect-CT is an HTTP header that allowed websites to
opt in to Certificate Transparency enforcement before
it was enforced by default. It also has reporting
functionality to help developers discover CT
misconfigurations.
Blink component
Internals>Network>DomainSecurityPolicy
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3EDomainSecurityPolicy>
Motivation
Expect-CT was designed to help transition to universal
Certificate Transparency (CT) enforcement, by allowing
high-value websites to opt in to CT
enforcement/reporting for better security before CT
enforcement was required (by Chrome) on all public
websites. However, Expect-CT has now outlived its
usefulness. Chrome requires CT on all public websites
now, so there is no security value to Expect-CT
anymore. Expect-CT was also designed to help site
owners discover CT-related misconfigurations; however,
now that CT is universally required, CT is generally
configured in websites' certificates by certificate
authorities and virtually never configured by
individual site owners, thus Expect-CT has very
limited value as a misconfiguration/debugging tool
anymore either. No other browser has implemented
Expect-CT so removing it is not an interoperability
concern.
Initial public proposal
https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ
TAG review
n/a
TAG review status
Not applicable
Risks
Interoperability and Compatibility
No other browser has implemented Expect-CT or given
signals that they intend to (to my knowledge).
Expect-CT is not user-visible so removing the feature
has no compatibility risk. Developers who are
currently sending the header should stop doing so just
to save the bytes on the wire.
While the header is served on a large percent of
requests (~6%), this is likely due to a small number
of large providers that can be informed of the
deprecation via 1:1 outreach.
Are you planning to wait for usage to drop as a result of
this outreach? Or are you fairly confident that removing
will not break content due to some weird server side
reliance on the header?
I would be very very surprised if the removal caused any
breakage, so I think we can go ahead with the removal without
waiting for usage to drop. The outreach is really just a
heads-up to allow websites to save some bytes on serving the
header and turn down any infrastructure they have in place for
receiving reports, but the feature is essentially a no-op
right now so removing it shouldn't cause any breakage.
As described above, the header serves no security
value any longer, removing it will have no
user-visible effects, and the header provides
extremely minimal debugging value to developers since
developers are no longer responsible for serving their
own CT information (100.00% of requests serve CT
information directly embedded in the certificate,
which developers are not responsible for configuring).
/Gecko/: No signal
/WebKit/: No signal
/Web developers/: No signals
/Other signals/:
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?
Debuggability
We'll add a console message informing developers that
the header will/has no effect and they should remove it.
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name
Requires code in //chrome?
False
Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6244547273687040
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
--
You received this message because you are subscribed
to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWPRsmX5O9pxzVkXCqWDqtTQwWkO0b-2EHh-1ZC5A6LzA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWPRsmX5O9pxzVkXCqWDqtTQwWkO0b-2EHh-1ZC5A6LzA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdCC5kWim0Eo4vYdmXMuZOX4FD-LDg17VkM_txhg-Xgrg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdCC5kWim0Eo4vYdmXMuZOX4FD-LDg17VkM_txhg-Xgrg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1f95b7d5-7ae2-4e8d-863d-ba17ff284dee%40chromium.org.
