Thanks for driving the naming issue to resolution Arthur. Given the lack of engagement on the mozilla standards position issue, I don't see anything else concrete that should block shipping. I also think we could make an investment in negative sandbox flags independently if there were consensus that it was the right thing to do, but that's also a very long running debate (eg. we went over it with the introduction of feature policies and the 'allow' attribute years ago).
LGTM1 On Wed, Nov 30, 2022 at 9:12 AM Arthur Sonzogni <arthursonzo...@google.com> wrote: > On Thu, Nov 17, 2022 at 11:50 PM Rick Byers <rby...@chromium.org> wrote: > >> Discussed in the API owners meeting yesterday. It sounds like work is >> ongoing to fully resolve issue #5 >> <https://github.com/WICG/anonymous-iframe/issues/5> including a good >> discussion at WebAppSec WG yesterday (summary in the Mozilla standards >> position issue >> <https://github.com/mozilla/standards-positions/issues/628>). >> > > issue #5 <https://github.com/WICG/anonymous-iframe/issues/5> has been > implemented. Anonymous iframe is now renamed: iframe credentialless. The > implementation is ready to ship for M110. > After the webappsec meeting with Dan Veditz. I asked on this Mozilla > standard position thread > <https://github.com/mozilla/standards-positions/issues/628#issuecomment-1318940625> > how we might reach agreement or what action to take instead. I don't > believe we came to anything close to that. So far, I haven't had any luck > getting additional responses. > > Arthur, let us know when you think decisions are captured sufficiently for >> API owners to re-evaluate. >> > > I'm not sure how to progress beyond that. So I think the API owner can now > re-evaluate. > > Arthur @arthursonzogni > > > On Thu, Nov 17, 2022 at 11:50 PM Rick Byers <rby...@chromium.org> wrote: > >> Discussed in the API owners meeting yesterday. It sounds like work is >> ongoing to fully resolve issue #5 >> <https://github.com/WICG/anonymous-iframe/issues/5> including a good >> discussion at WebAppSec WG yesterday (summary in the Mozilla standards >> position issue >> <https://github.com/mozilla/standards-positions/issues/628>). Arthur, >> let us know when you think decisions are captured sufficiently for API >> owners to re-evaluate. >> >> Thanks, >> Rick >> >> On Mon, Nov 14, 2022 at 11:22 AM Zheng Wei <zhen...@google.com> wrote: >> >>> Google Display Ads (GPT specifically) has tried the OT and is satisfied >>> with the feature's behavior. Looking forward to it! >>> >>> On Thursday, November 10, 2022 at 10:06:35 AM UTC-5 Smaug wrote: >>> >>>> On 11/10/22 10:33, 'Arthur Sonzogni' via blink-dev wrote: >>>> > Hi blink-dev, >>>> > >>>> > * >>>> > * >>>> > >>>> > We decided to address issue #5 < >>>> https://github.com/WICG/anonymous-iframe/issues/5>: “rename anonymous >>>> iframe into iframe credentialless”. We will >>>> > rename <iframe anonymous>to <iframe credentialless>. >>>> > >>>> > For this adjustment to take place, the new plan is to ship in M110 >>>> instead of M109. We do not think the origin trial will need to be extended, >>>> since >>>> > partners have been or will be able to test up to M108. Therefore, >>>> there will be a gap between the original trial and launch version. >>>> > >>>> > However, renaming from anonymous to credentialless will not answer >>>> Mozilla's core argument. They believe that the feature would be best >>>> controlled via >>>> > multiple new sandbox flags. >>>> >>>> I don't think anyone from Mozilla has said that. What I have said is >>>> that the current way to control how iframes work is getting very >>>> complicated and >>>> the new attribute adds yet another mechanism. And if most of the users >>>> will use both sandbox and credentialless, understanding how those work >>>> together >>>> can be rather confusing. Also, credentialless isn't exposing the >>>> primitives itself, but some unique set of features. I'd rather see >>>> primitives to be >>>> exposed and other features built on top of them. >>>> >>>> >>>> -Olli >>>> >>>> >>>> We think it is much less ergonomic and makes the feature harder to >>>> explain to developers. The integration with sandbox >>>> > flags has challenging open questions around edge cases, as listed in >>>> this document >>>> > < >>>> https://github.com/WICG/anonymous-iframe/blob/main/mozilla-sandbox-proposal.md>. >>>> >>>> > >>>> > * >>>> > * >>>> > >>>> > Considering this, we think the current solution is a better one. We >>>> have feedback from partners that it solves their needs. Considering that we >>>> have >>>> > no clear feedback Mozilla would be interested in implementing >>>> anonymous iframes even if they were spelled as sandbox flags, we believe we >>>> should ship >>>> > with what we have implemented. >>>> > >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to blink-dev+...@chromium.org >>>> > <mailto:blink-dev+...@chromium.org>. >>>> > To view this discussion on the web visit >>>> > >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GDYwk7ohTD4Eq2TW43hU%3DrHfXsx2V7%2BVK%3DHdKNd02-TA%40mail.gmail.com >>>> > < >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GDYwk7ohTD4Eq2TW43hU%3DrHfXsx2V7%2BVK%3DHdKNd02-TA%40mail.gmail.com?utm_medium=email&utm_source=footer>. >>>> >>>> >>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_q53fj%2BKGD0sVBkPR8waqq9CwZzp9w9FLLwq-UryGY7w%40mail.gmail.com.
