Thanks for the update Daniel, good luck! In case others, like me, have missed or forgotten the long history of this difficult deprecation and what it means for web developers, this blog post is a good summary <https://developer.chrome.com/blog/immutable-document-domain/>. One critical thing it doesn't mention, but probably should, is that the OriginAgentClusterDefaultEnabled enterprise policy <https://chromeenterprise.google/policies/#OriginAgentClusterDefaultEnabled> can also be used to revert the default on managed devices (though it looks like the launching milestone needs to be updated there too).
Rick On Fri, Jan 13, 2023 at 9:53 AM 'Daniel Vogelheim' via blink-dev < blink-dev@chromium.org> wrote: > Hello all, > > We've now handled the bugs we've discovered, and I would like to make > another attempt at launching. I'll follow the plan that was approved here, > but two milestones later: Launch to 50% beta in M111 (or late M110, if I > can still catch a bit of that release cycle), and then ramp on stable once > M112 is out. > > > On Wed, Dec 14, 2022 at 6:36 PM Daniel Vogelheim <vogelh...@google.com> > wrote: > >> Hello all, >> >> An update: Unfortunately we have discovered a bug with this feature, just >> as I was getting ready to enable it. The bug also affects pages that >> have not even set document.domain. Since I have now missed a substantial >> portion of the 109 beta cycle I'd like to delay the roll out once more, and >> shift it by one milestone (or two; depending on when everything is fixed). >> >> On the positive side: Recently the last of the previously identified >> big document.domain users, that together accounted for about 50% of >> remaining usage, has dropped their usage. So current usage is lower than >> previously reported. See the usage dip around late November at >> deprecate.it (1st graph). >> >> On Thu, Nov 10, 2022 at 5:42 PM Mike Taylor <miketa...@chromium.org> >> wrote: >> >>> LGTM3 >>> >>> On 11/10/22 11:18 AM, Chris Harrelson wrote: >>> >>> LGTM2 >>> >>> On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org> wrote: >>> >>>> LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108 or >>>> M109, and carefully roll this out for M110, once it hits stable. >>>> >>>> On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim <vogelh...@google.com> >>>> wrote: >>>> >>>>> On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor <miketa...@chromium.org> >>>>> wrote: >>>>> >>>>>> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote: >>>>>> >>>>>> Hello all, >>>>>> >>>>>> The approval for the Intent To Ship for Origin Isolation By Default >>>>>> / Deprecate document.domain >>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>> asks for a separate intent for the actual default change >>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>. >>>>>> This is that separate intent. >>>>>> >>>>>> A summary of what happened so far: >>>>>> >>>>>> - Shipping Origin Isolation by Default (and thereby deprecating >>>>>> document.domain) has security benefits, but compatibility risk. >>>>>> >>>>>> - We added warnings to the developer console and issues panel, >>>>>> published a blog post, and engaged in direct outreach. This has resulted >>>>>> in >>>>>> substantial, measurable reduction of usage. Some sites keep using >>>>>> document.domain, but have mitigated the deprecation with other means. >>>>>> This >>>>>> makes the risk difficult to measure. >>>>>> >>>>>> - Sampling of sites with document.domain usage and manual inspection >>>>>> yields a potential breakage estimate at ~0.015% of page views. >>>>>> >>>>>> What we're asking for here is: >>>>>> >>>>>> - Enable the feature at 50% for beta (+ dev + canary) during M109, as >>>>>> a "last call" for web site authors. >>>>>> >>>>>> This sounds like a good idea. Is there any reason we couldn't go to >>>>>> 50% in M108 as well (or are you trying to avoid breakage over the winter >>>>>> holidays)? >>>>>> >>>>> No reason. I'd be happy to go to beta as soon as I receive the lgtms. >>>>> I had conservatively budgeted that to be 109. :-) >>>>> >>>>> >>>>>> Another question: do we have enterprise policies available for this >>>>>> change? >>>>>> >>>>> >>>>> Yes; the policy is here: OriginAgentClusterDefaultEnabled >>>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml> >>>>> >>>>> >>>>>> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from today) >>>>>> >>>>>> >>>>>> ------------------------ >>>>>> >>>>>> Contact emails v...@chromium.org, vogelh...@chromium.org >>>>>> Specification Explainer: >>>>>> https://github.com/mikewest/deprecating-document-domain HTML Spec >>>>>> draft: https://github.com/whatwg/html/compare/main...otherdaniel:dd >>>>>> API spec Yes >>>>>> Summary >>>>>> >>>>>> This is a follow-on to the Intent to Ship: Origin Isolation By >>>>>> Default / Deprecate document.domain >>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >>>>>> We'd >>>>>> like to ship this in M110, stable. >>>>>> >>>>>> Summary (of the underlying change) Change the default behavior of >>>>>> the Origin-Agent-Cluster: header / document.domain settability. >>>>>> Presently, pages within Chromium have site-keyed agent clusters by >>>>>> default, unless the Origin-Agent-Cluster: header is explicitly set to >>>>>> true. >>>>>> This accommodates pages or frames which want to access each other's >>>>>> state, >>>>>> despite being on different origins (but within a site). This is fine for >>>>>> any pages that wish to do so, but because a page *might* set >>>>>> document.domain later on, Chromium currently must use site-keyed agent >>>>>> clusters for *all* pages by default even though the overwhelming majority >>>>>> of pages do not ever make use of this (mis-)feature. In turn, this >>>>>> requires >>>>>> Chromium to use sites as the basis for renderer process isolation (via >>>>>> Site >>>>>> Isolation), which exposes origins to same-site but cross-origin attacks >>>>>> involving compromised renderer processes or the "Spectre" family of >>>>>> side-channel attacks. >>>>>> This proposal changes the default behaviour of Origin-Agent-Cluster. >>>>>> From a developer's point of view, the new default matches >>>>>> "Origin-Agent-Cluster: ?1". The initial implementation will use >>>>>> origin-keyed agent clusters for all (non-opted out) origins, without >>>>>> changing how many processes Chromium creates. Over time, we can then >>>>>> adapt >>>>>> Chromium's isolation strategy towards origin-keyed processes without >>>>>> further affecting web-visible behaviour. >>>>>> The developer-visible aspect of this is that for pages with >>>>>> origin-keyed agent clusters, document.domain is no longer settable. Thus, >>>>>> we have marked this intent as a deprecation. >>>>>> Note that this proposal is about the default. Both modes - site-keyed >>>>>> or origin-keyed agent clusters - remain available to any site, but >>>>>> origin-keyed agent clusters change from opt-in to opt-out. The current >>>>>> behaviour remains available by setting "Origin-Agent-Cluster: ?0". >>>>>> Blink component Blink>SecurityFeature >>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/564 >>>>>> Risks: Interoperability and Compatibility >>>>>> >>>>>> There are compatibility risks, which we have reduced with outreach >>>>>> and warnings, and we want to mitigate further by launching at 50% of beta >>>>>> first. An extended discussion of the risk (including attempts at >>>>>> quantitative assessment) can be found in the original intent to ship >>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>> . >>>>>> >>>>>> Gecko: Standards position request >>>>>> <https://github.com/mozilla/standards-positions/issues/601>. ("Worth >>>>>> prototyping") >>>>>> >>>>>> WebKit: >>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html >>>>>> (No signals.) >>>>>> >>>>>> Web developers: No signals. >>>>>> >>>>>> Activation - Deprecation plan >>>>>> M109: Enable "Origin Agent Cluster by Default" for 50% of page loads >>>>>> on beta, dev, and canary. >>>>>> >>>>>> M110: Enable "Origin Agent Cluster by Default" on stable. >>>>>> Security This change should be security-positive, since setting >>>>>> document.domain will not have any impact on the origin of the document >>>>>> any >>>>>> more. >>>>>> Debuggability A deprecation warning has been added to DevTools >>>>>> console and to the issues panel in M98. This warning will file a >>>>>> deprecation report as well using the Reporting API, if so configured. >>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? Yes >>>>>> Is this feature fully tested by web-platform-tests >>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>> ? This is covered by Origin-keyed Agent Cluster tests >>>>>> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/>. >>>>>> Tracking bug https://crbug.com/1139851 >>>>>> Launch bug https://crbug.com/1246823 >>>>>> Link to entry on the Chrome Platform Status >>>>>> https://chromestatus.com/feature/5428079583297536 (document.domain >>>>>> setter deprecation) >>>>>> https://chromestatus.com/features/5683766104162304 (Origin-keyed >>>>>> agent clusters) >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> >>>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY8tDm_V90K1Vksmb7FOMuxHu_WmUyf16Ws7UAv9hqne0w%40mail.gmail.com.
