Hi Joe -- I'm planning to deprecate in M105 and remove in M106. On Mon, Jul 11, 2022 at 9:09 AM Joe Medley <[email protected]> wrote:
> Emily, > > In which milestone will this be removed? > > Joe > Joe Medley | Technical Writer, Chrome DevRel | [email protected] | > 816-678-7195 <(816)%20678-7195> > *If an API's not documented it doesn't exist.* > > > On Fri, Jul 8, 2022 at 9:31 AM Emily Stark <[email protected]> wrote: > >> Contact [email protected] >> >> ExplainerNone >> >> Specificationhttps://datatracker.ietf.org/doc/rfc9163 >> >> Summary >> >> Expect-CT is an HTTP header that allowed websites to opt in to >> Certificate Transparency enforcement before it was enforced by default. It >> also has reporting functionality to help developers discover CT >> misconfigurations. >> >> >> Blink componentInternals>Network>DomainSecurityPolicy >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3EDomainSecurityPolicy> >> >> Motivation >> >> Expect-CT was designed to help transition to universal Certificate >> Transparency (CT) enforcement, by allowing high-value websites to opt in to >> CT enforcement/reporting for better security before CT enforcement was >> required (by Chrome) on all public websites. However, Expect-CT has now >> outlived its usefulness. Chrome requires CT on all public websites now, so >> there is no security value to Expect-CT anymore. Expect-CT was also >> designed to help site owners discover CT-related misconfigurations; >> however, now that CT is universally required, CT is generally configured in >> websites' certificates by certificate authorities and virtually never >> configured by individual site owners, thus Expect-CT has very limited value >> as a misconfiguration/debugging tool anymore either. No other browser has >> implemented Expect-CT so removing it is not an interoperability concern. >> >> >> Initial public proposal >> https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ >> >> TAG reviewn/a >> >> TAG review statusNot applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> >> No other browser has implemented Expect-CT or given signals that they >> intend to (to my knowledge). Expect-CT is not user-visible so removing the >> feature has no compatibility risk. Developers who are currently sending the >> header should stop doing so just to save the bytes on the wire. >> >> While the header is served on a large percent of requests (~6%), this is >> likely due to a small number of large providers that can be informed of the >> deprecation via 1:1 outreach. As described above, the header serves no >> security value any longer, removing it will have no user-visible effects, >> and the header provides extremely minimal debugging value to developers >> since developers are no longer responsible for serving their own CT >> information (100.00% of requests serve CT information directly embedded in >> the certificate, which developers are not responsible for configuring). >> >> *Gecko*: No signal >> >> *WebKit*: No signal >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> >> >> Debuggability >> >> We'll add a console message informing developers that the header will/has >> no effect and they should remove it. >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?No >> >> Flag name >> >> Requires code in //chrome?False >> >> Estimated milestones >> >> No milestones specified >> >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/6244547273687040 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2Sb%3DaT7ryxApZ8ybeZQLJ23ntQLwPVons_BKoyQvh-uGRw%40mail.gmail.com.
