>
> For these visual elements, are there any common threads that you could
> notice? E.g. Any common 3P providers?
>

 In all cases I've seen, these are 1P requests of the form
https://foo.example to https://api.foo.example/api/v1/blah. I've not found
many sites with these visual element impacts, so I've been trying
to contact them. So far with no luck.

I guess the same question also applies to the non-visual breakage. (you
> mentioned analytics and personalization providers)


These account for the majority of the cases I found, and all but 2 of them
are 1P.

I have identified two cases of 3P which are quite relevant, and have just
made contact with them. I will provide an update once I receive feedback.


On Thu, Mar 30, 2023 at 1:35 AM Yoav Weiss <yoavwe...@chromium.org> wrote:

>
>
> On Wed, Mar 29, 2023 at 11:01 AM Yoav Weiss <yoavwe...@chromium.org>
> wrote:
>
>>
>>
>> On Wed, Mar 29, 2023 at 10:32 AM Javier Garcia Visiedo <
>> visi...@chromium.org> wrote:
>>
>>> Thank you for your quick reply Yoav,
>>>
>>> Please find my answers inline.
>>>
>>>
>>> On Wednesday, March 29, 2023 at 4:35:32 PM UTC+9 Yoav Weiss wrote:
>>>
>>> Thank you so much, Javier! :) That's some great analysis!
>>>
>>> On Wed, Mar 29, 2023 at 7:51 AM Javier Garcia Visiedo <
>>> visi...@chromium.org> wrote:
>>>
>>> Hi all,
>>>
>>> Please find the summary of my findings, after analyzing the UKM data.
>>>
>>> Currently, the UKM data shows 2,087 distinct domains (eTLD+1) sending a
>>> wildcard for ACAH and/or ACAO in response to a credentialled request. The
>>> UKM data is not good at showing events over time, but the use counter
>>> <https://chromestatus.com/metrics/feature/timeline/popularity/3873>
>>> indicates the feature use is currently at 0.12% of total page loads, and
>>> the monthly average of page loads has been steadily increasing since the
>>> introduction of the use counter.
>>>
>>> Out of the 2,087 domains found in the UKM, the top one accounts for
>>> 39.24% of the total navigations in the UKM (54% within top 20 sites), using
>>> this feature. The user experience is not visibly impacted for this site, as
>>> CORS is blocking calls to a publisher.Ads are displayed properly, so
>>> apparently the blocked calls are impacting some kind of targeted ads API.
>>> This site came into the data set for the first time in March 2023, and it’s
>>> very popular, so we expect to observe a big bump on the use counter from
>>> now on. This site is an outlier in terms of traffic volume, compared to
>>> other sites present in the UKM, and given the lack of Ux impact we decided
>>> to exclude it from the analysis presented below, to get a better
>>> representation for the rest of the sites.
>>>
>>> Excluding the top site, we tested the next top 20 domains in number of
>>> navigations using this feature, accounting for 42% of the total navigation
>>> in the UKM. In addition to this, we sampled the long tail for 11 more sites
>>> randomly, for an additional 3,4% of the total navigation in the UKM.
>>>
>>> Extrapolating data from the sampling, we classified sites in the
>>> following categories:
>>>
>>>    -
>>>
>>>    No Ux impact: 94.85% of the navigations are free from visible user
>>>    experience impacts. In most cases, CORS policy is blocking calls to
>>>    personalization or analytics APIs.
>>>
>>>
>>> "CORS policy" here refers to the status quo before this feature ships?
>>>
>>>
>>> No, these calls are blocked when activating the feature
>>>
>>
>> Oh, ok. So these may have invisible breakage, that results in some
>> ancillary service failure, but that users are unlikely to notice.
>>
>
>>
>>>
>>>
>>>
>>>
>>>
>>>    -
>>>
>>>    Impact to critical functionality, overall experience, log-in, etc.:
>>>    2.6%
>>>    -
>>>
>>>    Impact to ancillary elements being blocked by CORS policy, such as
>>>    ads or widgets not essential to the overall page functionality: 2.55%
>>>
>>> Putting these numbers in context of the total page loads reported by the
>>> use counter, 0,0062% of the total page loads experience some UX regression
>>> due to the introduction of this feature. Of these, 0,0031% was unusable.
>>>
>>> We reached out to the site owners with Ux impacts, and we were able to
>>> confirm that 100% of the sites identified to have critical impact have
>>> already migrated out of this feature.
>>>
>>> That's a bit higher than what we're typically comfortable with, but it's
>>> great to hear that sites you reach out to react quickly.
>>> How much of that impact was in the top 20 (where we can reasonably reach
>>> out) vs. the long tail (where it'd be significantly harder to communicate
>>> things beyond deprecation logs and reports)?
>>>
>>>
>>> For sites with high impact (already addressed) 100% were found in the
>>> top 20.
>>>
>>
>> That's very reassuring, thanks!
>>
>>
>>> For sites where some visual elements are blocked, 55% (1.48% of total
>>> navigations registered in the UKM for this feature) are part of the top 20,
>>> 45% in the long tail, with 1.07% of total navigations in the UKM.
>>>
>>
> For these visual elements, are there any common threads that you could
> notice? E.g. Any common 3P providers?
> I guess the same question also applies to the non-visual breakage. (you
> mentioned analytics and personalization providers)
>
>
>
>>
>>>
>>> Happy to further clarify the data if needed.
>>>
>>> Thanks
>>> Javier
>>>
>>> On Wednesday, July 13, 2022 at 2:49:30 PM UTC+9 Yoav Weiss wrote:
>>>
>>> Hey Javier!
>>>
>>> The benefits of UKM is that it can give us a list of URLs that have some
>>> breakage potential. The laternative is to cross the usecounter with
>>> HTTPArchive data, but that has a strong bias towards homepages, so may miss
>>> a lot of pages that require a login and are not the homepage. With a more
>>> accurate list of URLs, we'd be able to better assess the usage and
>>> potential breakage.
>>>
>>> Cheers :)
>>> Yoav
>>>
>>> On Wed, Jul 13, 2022 at 3:52 AM Javier Garcia Visiedo <
>>> visi...@chromium.org> wrote:
>>>
>>> Hi,
>>> I am starting a UKM collection review to opt in the existing use counter
>>> <https://chromestatus.com/metrics/feature/timeline/popularity/3873>
>>> into an UKM. Sorry if my question is too naive, I just wanted to understand
>>> what benefits would the UKM add over the existing use counter? Or is it the
>>> intention to add additional metrics to it? Thanks!
>>> Cheers
>>> Javier
>>>
>>>
>>> On Thursday, January 27, 2022 at 1:33:19 AM UTC+9 Chris Harrelson wrote:
>>>
>>> Hi, just checking in on this intent. From the API owners' perspective,
>>> we're going to wait for the UKM, thanks.
>>>
>>> On Wed, Jan 12, 2022 at 7:41 AM Yutaka Hirano <yhir...@chromium.org>
>>> wrote:
>>>
>>> Hi Yoav,
>>>
>>> Thank you for the suggestions. I'll try to add UKM.
>>>
>>> > One other question that came up: Is the usage related to developers
>>> adding the "Authorization" header on their own, or is it something the
>>> browser sends under certain circumstances? (e.g. when receiving 401
>>> responses with "WWW-Autenticate" headers)
>>>
>>> This is only for authorization headers set by scripts (via fetch() and
>>> XHR). Authorization headers the browser attaches are out of scope.
>>>
>>> On Thu, Jan 6, 2022 at 2:15 AM Yoav Weiss <yoavwe...@chromium.org>
>>> wrote:
>>>
>>> Hey Yutaka!
>>>
>>> We discussed this at the API owners meeting today (Daniel, Chris, Alex,
>>> MikeT and myself).
>>> It seems like the risk here is too high to remove support as is, and a
>>> reasonable next step may be to add the metric to UKM and get a more
>>> detailed view of which sites are using it and how. That would enable us to
>>> better assess breakage, and reach out to those sites to reduce current
>>> usage until potential breakage reaches acceptable levels.
>>>
>>> One other question that came up: Is the usage related to developers
>>> adding the "Authorization" header on their own, or is it something the
>>> browser sends under certain circumstances? (e.g. when receiving 401
>>> responses with "WWW-Autenticate" headers)
>>> Would renaming the headers used in such authentication protocols be a
>>> useful alternative to consider? I'm guessing that doing that would require
>>> server changes as well, so won't necessarily help with cases of existing
>>> content, but may help to move newer auth flows to make safer CORS choices.
>>>
>>> Cheers :)
>>> Yoav
>>>
>>> On Thursday, December 9, 2021 at 12:17:40 PM UTC+1 Yutaka Hirano wrote:
>>>
>>> We've been showing a deprecation message since 94
>>> <https://chromiumdash.appspot.com/commit/9a817d69a132822ddf2954120e96a3efa2290071>.
>>> Sadly the deprecation message hasn't decreased the usage so far.
>>>
>>> On Thu, Dec 9, 2021 at 1:52 AM Mike West <mk...@chromium.org> wrote:
>>>
>>> From my perspective, it's a bit worrying that you found user-visible
>>> breakage in a random sampling of the otherwise small number of sites that
>>> fall into this category. As Yoav suggested, there's some additional
>>> likelihood that we're not seeing some breakage that requires sign-in. It
>>> might be worthwhile to raise a deprecation warning for this behavior, and
>>> remove it after giving developers some time to adjust, perhaps with an
>>> enterprise policy for good measure. I'd be happy with a 3-release timeline,
>>> with removal thereafter. That might drive the usage down to the point where
>>> we can reasonably remove it. If it doesn't, we might need to do some more
>>> research (wiring this counter up to UKM, for instance) to see if we can
>>> track down more clear sources of potential breakage.
>>>
>>> -mike
>>>
>>> On Thursday, December 2, 2021 at 6:56:40 AM UTC+1 Yutaka Hirano wrote:
>>>
>>> On Thu, Dec 2, 2021 at 12:29 AM Yoav Weiss <yoavwe...@chromium.org>
>>> wrote:
>>>
>>>
>>>
>>> On Wed, Dec 1, 2021 at 4:00 PM Yutaka Hirano <yhir...@chromium.org>
>>> wrote:
>>>
>>> Sorry for the delay!
>>>
>>> I checked 10 sites. I saw console errors in three sites among them:
>>>  1. https://cchatty.com/
>>>  2. https://techrxiv.org/
>>>  3. https://bodyshake.com/
>>>
>>> I only see a visible breakage in 1 (cards in the main panel are
>>> invisible). On other sites I don't see any visible differences.
>>> Please note that this feature is related to authorization so it is
>>> likely to break things when signing in.
>>>
>>>
>>> So it's possible that the breakage only occurs for logged in users, and
>>> is not something you'd be able to see when spot checking their homepage?
>>>
>>>
>>> Yeah, I think so.
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Dec 1, 2021 at 8:11 PM Yoav Weiss <yoavwe...@chromium.org>
>>> wrote:
>>>
>>> Friendly ping on Chris' question
>>>
>>> On Thursday, November 4, 2021 at 8:31:36 PM UTC+1 Chris Harrelson wrote:
>>>
>>> Would it be feasible to get a random list of 10-20 sites that hit the
>>> use counter and see if they are broken badly by this feature?
>>>
>>> On Thu, Nov 4, 2021 at 4:54 AM Yutaka Hirano <yhir...@chromium.org>
>>> wrote:
>>>
>>> (friendly ping)
>>>
>>> On Mon, Nov 1, 2021 at 1:57 PM Yutaka Hirano <yhir...@chromium.org>
>>> wrote:
>>>
>>> Thank you for the feedback.
>>>
>>> Do you have concrete steps for the investigation in your mind?
>>>
>>> On Fri, Oct 29, 2021 at 4:30 AM Mike West <mk...@chromium.org> wrote:
>>>
>>> I think it's reasonable for us to dig into the data a little bit to
>>> determine whether the 0.04% number quoted above will result in user-facing
>>> breakage. Yutaka, is that something you'd be willing to dig into?
>>>
>>> The direction seems philosophically correct to me, so I'd like to see it
>>> ship, but I'd also like to make sure we're not making the web worse for
>>> users by doing so.
>>>
>>> -mike
>>>
>>>
>>> On Thu, Oct 21, 2021 at 12:04 PM Yutaka Hirano <yhir...@chromium.org>
>>> wrote:
>>>
>>>
>>>
>>> On Thu, Oct 21, 2021 at 6:25 PM Yoav Weiss <yoavwe...@chromium.org>
>>> wrote:
>>>
>>>
>>>
>>> On Thu, Oct 21, 2021 at 9:55 AM Yutaka Hirano <yhir...@chromium.org>
>>> wrote:
>>>
>>> (The implementation CL
>>> <https://chromium-review.googlesource.com/c/chromium/src/+/3226283> is
>>> under review. This intent is written as if it's landed.)
>>>
>>> Contact emailsyhir...@chromium.org
>>>
>>> Specificationhttps://fetch.spec.whatwg.org/#cors-non-wildcard-request-
>>> header-name
>>>
>>> Summary
>>>
>>> A CORS non-wildcard request header[1] is an HTTP request header which is
>>> not covered by the wildcard symbol ("*") in the
>>> access-control-allow-headers header. "authorization" is the only member of
>>> CORS non-wildcard request-header. Currently we treat the header as a usual
>>> header, which is problematic for security reasons. Implement it, and change
>>> the current behavior. 1: https://fetch.spec.whatwg.org/
>>> #cors-non-wildcard-request-header-name
>>>
>>>
>>> Blink componentBlink>SecurityFeature>CORS
>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS>
>>>
>>> TAG reviewNot needed because this implements an existing feature.
>>>
>>> TAG review statusNot applicable
>>>
>>> Risks
>>>
>>>
>>> Interoperability and Compatibility
>>>
>>> Interoperability risk is low because Mozilla and Apple showed an intent
>>> to implement this behavior. There is some compatibility risk, as the use
>>> counter[2] shows 0.04% websites would be affected. To mitigate the risk,
>>> we've shown a deprecation message for a few milestones.
>>>
>>>
>>> Can you similarly send deprecation reports as well? How long have the
>>> deprecation messages been in place? Did we see any decline in the numbers?
>>>
>>> We've shown the deprecation message since Chrome 94
>>> <https://chromiumdash.appspot.com/commit/9a817d69a132822ddf2954120e96a3efa2290071>
>>>  whose
>>> beta promotion was on Aug 26 and stable release was on Sep 21.
>>> We use CountDeprecation which sends deprecation reports automatically
>>> IIUC.
>>>
>>> I don't see any decline.
>>>
>>>
>>> Have we looked into which URLs are triggering this? (and if it's a few
>>> medium-sized properties or many tiny ones)
>>>
>>>
>>> I haven't looked at the data.
>>>
>>> Did we try outreach?
>>>
>>> No.
>>>
>>>
>>> We have an enterprise policy so that administrators can keep the
>>> existing behavior. We're planning to remove the policy on Chrome 103. 2:
>>> https://www.chromestatus.com/metrics/feature/popularity#
>>> AuthorizationCoveredByWildcard
>>>
>>>
>>> Gecko: Positive Firefox showed a positive signal in a private thread.
>>>
>>> WebKit: Positive Apple showed a positive signal in a private thread.
>>>
>>> Web developers: No signals
>>>
>>>
>>> Debuggability
>>>
>>> We'll show a CORS error to the devtools console.
>>>
>>>
>>> Is this feature fully tested by web-platform-tests
>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>
>>> ?Yes
>>>
>>> Flag nameCorsNonWildcardRequestHeadersSupport
>>>
>>> Requires code in //chrome?False (or, True only for the enterprise
>>> policy.)
>>>
>>> Tracking bughttps://crbug.com/1176753
>>>
>>> Estimated milestones
>>>
>>> 97
>>>
>>> Link to entry on the Chrome Platform Statushttps://chromestatus.com/
>>> feature/5742041264816128
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "blink-dev" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to blink-dev+unsubscr...@chromium.org.
>>> To view this discussion on the web visit https://groups.google.com/a/
>>> chromium.org/d/msgid/blink-dev/CABihn6G2mzUAH_Ghrqmb1xM7XetfKgB%
>>> 3DMUkX0DED7yWbL4JfGg%40mail.gmail.com
>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABihn6G2mzUAH_Ghrqmb1xM7XetfKgB%3DMUkX0DED7yWbL4JfGg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "blink-dev" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to blink-dev+unsubscr...@chromium.org.
>>> To view this discussion on the web visit https://groups.google.com/a/
>>> chromium.org/d/msgid/blink-dev/CABihn6GB-CbbCqx0VHa7%3DLoZr%2BZN-
>>> O7o7XwTGkxXEYQa9OfupQ%40mail.gmail.com
>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABihn6GB-CbbCqx0VHa7%3DLoZr%2BZN-O7o7XwTGkxXEYQa9OfupQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "blink-dev" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to blink-dev+unsubscr...@chromium.org.
>>>
>>> To view this discussion on the web visit https://groups.google.com/a/
>>> chromium.org/d/msgid/blink-dev/CABihn6EqkidJF3mjfnztmMnKrEpb%
>>> 3DPTvW-kpW0s_bWCM%3DOXY8A%40mail.gmail.com
>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABihn6EqkidJF3mjfnztmMnKrEpb%3DPTvW-kpW0s_bWCM%3DOXY8A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMFgMgw_1WzXH6ewDJQk3bKrz%3DwdPzUp%2B7vRDKpMzeRK%2B43%3DUw%40mail.gmail.com.

Reply via email to