LGTM2
On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org> wrote:
LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108
or M109, and carefully roll this out for M110, once it hits stable.
On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim
<vogelh...@google.com> wrote:
On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor
<miketa...@chromium.org> wrote:
On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote:
Hello all,
The approval for the Intent To Ship for Origin Isolation
By Default / Deprecate document.domain
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>asks
for a separate intent for the actual default change
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>.
This is that separate intent.
A summary of what happened so far:
- Shipping Origin Isolation by Default (and thereby
deprecating document.domain) has security benefits, but
compatibility risk.
- We added warnings to the developer console and issues
panel, published a blog post, and engaged in direct
outreach. This has resulted in substantial, measurable
reduction of usage. Some sites keep using
document.domain, but have mitigated the deprecation with
other means. This makes the risk difficult to measure.
- Sampling of sites with document.domain usage and manual
inspection yields a potential breakage estimate at
~0.015% of page views.
What we're asking for here is:
- Enable the feature at 50% for beta (+ dev + canary)
during M109, as a "last call" for web site authors.
This sounds like a good idea. Is there any reason we
couldn't go to 50% in M108 as well (or are you trying to
avoid breakage over the winter holidays)?
No reason. I'd be happy to go to beta as soon as I receive the
lgtms. I had conservatively budgeted that to be 109. :-)
Another question: do we have enterprise policies available
for this change?
Yes; the policy is here: OriginAgentClusterDefaultEnabled
<https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml>
- Launch on stable on M110. (~ Feb '23, so >12 weeks out
from today)
------------------------
Contact emails
v...@chromium.org, vogelh...@chromium.org
Specification
Explainer:https://github.com/mikewest/deprecating-document-domain
<https://github.com/mikewest/deprecating-document-domain>
HTML Spec
draft:https://github.com/whatwg/html/compare/main...otherdaniel:dd
<https://github.com/whatwg/html/compare/main...otherdaniel:dd>
API spec
Yes
Summary
This is a follow-on to the Intent to Ship: Origin
Isolation By Default / Deprecate document.domain
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. We'd
like to ship this in M110, stable.
Summary (of the underlying change)
Change the default behavior of the
Origin-Agent-Cluster: header / document.domain
settability.
Presently, pages within Chromium have site-keyed
agent clusters by default, unless the
Origin-Agent-Cluster: header is explicitly set to
true. This accommodates pages or frames which
want to access each other's state, despite being
on different origins (but within a site). This is
fine for any pages that wish to do so, but
because a page *might* set document.domain later
on, Chromium currently must use site-keyed agent
clusters for *all* pages by default even though
the overwhelming majority of pages do not ever
make use of this (mis-)feature. In turn, this
requires Chromium to use sites as the basis for
renderer process isolation (via Site Isolation),
which exposes origins to same-site but
cross-origin attacks involving compromised
renderer processes or the "Spectre" family of
side-channel attacks.
This proposal changes the default behaviour of
Origin-Agent-Cluster. From a developer's point of
view, the new default matches
"Origin-Agent-Cluster: ?1". The initial
implementation will use origin-keyed agent
clusters for all (non-opted out) origins, without
changing how many processes Chromium creates.
Over time, we can then adapt Chromium's isolation
strategy towards origin-keyed processes without
further affecting web-visible behaviour.
The developer-visible aspect of this is that for
pages with origin-keyed agent clusters,
document.domain is no longer settable. Thus, we
have marked this intent as a deprecation.
Note that this proposal is about the default.
Both modes - site-keyed or origin-keyed agent
clusters - remain available to any site, but
origin-keyed agent clusters change from opt-in to
opt-out. The current behaviour remains available
by setting "Origin-Agent-Cluster: ?0".
Blink component
Blink>SecurityFeature
TAG review
https://github.com/w3ctag/design-reviews/issues/564
<https://github.com/w3ctag/design-reviews/issues/564>
Risks: Interoperability and Compatibility
There are compatibility risks, which we have reduced with
outreach and warnings, and we want to mitigate further by
launching at 50% of beta first. An extended discussion of
the risk (including attempts at quantitative assessment)
can be found in the original intent to ship
<https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>.
Gecko:Standards position request
<https://github.com/mozilla/standards-positions/issues/601>.
("Worth prototyping")
WebKit:https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html
<https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html>(No
signals.)
Web developers: No signals.
Activation - Deprecation plan
M109: Enable "Origin Agent Cluster by Default"
for 50% of page loads on beta, dev, and canary.
M110: Enable "Origin Agent Cluster by Default" on stable.
Security
This change should be security-positive, since
setting document.domain will not have any impact
on the origin of the document any more.
Debuggability
A deprecation warning has been added to DevTools
console and to the issues panel in M98. This
warning will file a deprecation report as well
using the Reporting API, if so configured.
Will this feature be supported on all six Blink
platforms (Windows, Mac, Linux, Chrome OS,
Android, and Android WebView)?
Yes
Is this feature fully tested byweb-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
This is covered by Origin-keyed Agent Cluster
tests
<https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/>.
Tracking bug
https://crbug.com/1139851 <https://crbug.com/1139851>
Launch bug
https://crbug.com/1246823 <https://crbug.com/1246823>
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5428079583297536
<https://chromestatus.com/feature/5428079583297536>(document.domain
setter deprecation)
https://chromestatus.com/features/5683766104162304
<https://chromestatus.com/features/5683766104162304>(Origin-keyed
agent clusters)
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer>.
