Contact emails a...@chromium.org, mo...@chromium.org Specification https://www.w3.org/TR/webdatabase
Design docs https://developer.chrome.com/blog/deprecating-web-sql [Google Internal] https://docs.google.com/document/d/1bTj_nDqbdvE102sCm3KuwvN5c_HneLNPl9mmPeUjG4M/edit?usp=sharing [Google Internal] https://docs.google.com/document/d/1CDdEO65pCIo60NM8CWHNNN7EunJ-wd8v1dGUxTOBJrM/edit?resourcekey=0-R0fxP199QQ-8gnMqzmQyrw Summary The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. It was implemented in WebKit in 2008 and shipped in Chrome and Safari, on both desktop and mobile. Gecko and EdgeHTML never implemented this feature and WebKit unshipped it in 2019. The W3C encouraged those needing web databases to adopt Indexed Database. Since its release, it has been incredibly difficult to keep our users secure. SQLite was not designed to run untrusted SQL statements, and yet with Web SQL we have to do exactly this. Keeping up with security and stability fixes dictates updating SQLite in Chromium and impacts the feature’s stability. In 2022 alone, we updated SQLite 11 times. This comes in direct conflict with Web SQL’s requirement of behaving exactly as SQLite 3.6.19, and with the lack of a SQL specification in Web SQL, we cannot make any such compatibility guarantees. With SQLite WASM <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> as an effective replacement for web developers requiring a relational database, we would like to remove Web SQL entirely. Target timeline M101 - 123 - Enterprise Policy <https://chromeenterprise.google/policies/#WebSQLAccess> M115 - Add deprecation message M118-123 - Deprecation trial M119 - Ship removal Usage and Risk Overall usage still shows a high percentage of 0.34% of page loads <https://chromestatus.com/metrics/feature/timeline/popularity/2962>, however our analysis has concluded that very little usage is for actual storage. Through analyzing sites from HTTPArchives, we found a majority of its usage is from outdated incognito detection <https://stackoverflow.com/questions/48169810/how-to-detect-private-browsing-in-ios-11-safari-as-well-as-older-versions-of-sa> (e.g. Criteo <https://static.criteo.net/js/ld/ld.js>, Reddit <https://gist.github.com/ayuishii/b64b9c41152940089f8ac480f82d4e3e>), and fingerprinting (e.g. Fingerprintjs <https://github.com/fingerprintjs/fingerprintjs>, evercookie <https://github.com/samyk/evercookie>). There are JS storage libraries that became popular around the time that Web SQL was introduced which use the feature. Oftentimes their usage is part of a fallback chain, where on modern browsers other storage technologies like localStorage or IndexedDB would be chosen before Web SQL. Examples of such libraries are localForage <https://github.com/localForage/localForage>, cordova-sqlite-storage <https://github.com/storesafe/cordova-sqlite-storage>, Sencha Touch <https://docs.sencha.com/touch/2.4/2.4.2-apidocs/#!/api/Ext.data.proxy.Sql>. Many, like localForage and cordova-sqlite-storage, gate its usage on feature detection due to its availability only on Chromium browsers. However older versions of Sencha Touch look as though they may not have been gated. Sencha Touch has since removed its SQL feature which depends on Web SQL in their version released in 2015 <https://docs.sencha.com/extjs/6.0.0/guides/upgrades_migrations/modern_upgrade_guide.html#upgrades_migrations-_-modern_upgrade_guide_-_ext_data_proxy_sql_has_been_removed> . Our conclusion from our HTTPArchives analysis <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.tmke6f1n07cr> is that we were only able to identify one site that is not gated by feature detection, and one site with significant breakage. We’ve notified open source libraries of Web SQL deprecation, and plan to reach out to site owners we’ve classified as breakage. Analyzing extensions usage, we’ve identified 74% of extensions that use Web SQL <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.rxdibl42y942> are from JS storage libraries like localForage <https://github.com/localForage/localForage> and cordova-sqlite-storage <https://github.com/storesafe/cordova-sqlite-storage>. However there were a higher number of usages that rely on Web SQL heavily <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.hrkiilgxtp1y>, and many that are not gated by feature detection <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.vw9prsbuovyq> as well. We have identified these extensions and plan to contact the developers on this deprecation. Further analysis for the web platform and extensions can be found in our public facing Web SQL usage analysis doc <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit?usp=sharing> . For those that would need to migrate, we expect a significant amount of work will be required. Therefore we would like to show deprecation messages early, and make a long deprecation trial available to allow developers to plan for their migration before full removal. We’ve provided steps for testing Web SQL removal for a website <https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing>, and a guide to SQLite WASM <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> and for migrating a database <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> for developers to follow to start their migration. Communications What we’ve done so far: - Worked with internal partners to move major products off of Web SQL (Completed in 2022) - Communicated to edu/enterprise partners of its planned removal (Aug, 2022) - No usages found from this process - Communicated with known external partners using Web SQL on its planned removal - All on board with migrating to WASM + SQLite - Published an article on the state of Web SQL and its deprecation <https://developer.chrome.com/blog/deprecating-web-sql/> (Aug, 2022) - Published an article on its recommended replacement, SQLite WASM <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> (Jan, 2023) - Removed Web SQL in third party contexts in M97 - Removed Web SQL in non-secure contexts in M110 - Published an article for migrating a database from Web SQL to SQLite Wasm <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> (Mar, 2023) - [InProgress] Communicate to identified developers in extensions / HTTPArchives usage Related Intents Intent to Deprecate and Remove Web SQL in 3rd Party Contexts <https://groups.google.com/a/chromium.org/g/blink-dev/c/TM6YDx1Hh08> Intent to Deprecate and Remove Web SQL in Non-Secure contexts <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/xdcl4yc8Ihk> Blink component Blink>Storage>Web SQL <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3EWebSQL> Search tags Web SQL <https://chromestatus.com/features#tags:websql> Risks Interoperability and Compatibility Removing Web SQL will align Chromium based browser behavior to all other browser engines. Currently Chromium is the only browser engine that supports Web SQL. Because of this, most websites gate the usage of Web SQL by feature detection. Gecko: N/A Never implemented WebKit: Unshipped ( https://github.com/WebKit/WebKit/commit/761bce943c0696a6bb93116eb0576ed07dbfdc65) Removed in 2019 Web developers: N/A Security Currently SQLite in Chromium is updated very frequently, sometimes in multiple consecutive milestones. The frequency is defined by stability or security issues found in the SQLite library. Bad security issues have historically surfaced such as Magellan 2.0 <https://threatpost.com/google-chrome-affected-by-magellan-2-0-flaws/151446/> that had been publicized in tech news in 2019, among others.The storage team needs to respond quickly to these issues, and update the library when issues are found with help from the SQLite team and Release and Security TPMs. Removing Web SQL will permanently remove the attack vector of malicious SQL statements. WebView application risks While we see a 0.02% usage on WebView, we are unable to verify the nature of this usage. However now that Deprecation Trials are supported for WebView, we think the risk of removal is significantly reduced. Goals for Deprecation Trial The goal for the deprecation trial is to allow for a 6 month window after removal to let developers remove their usage of Web SQL. We may extend this window depending on feedback from participating developers. Our recommendation is for developers to switch to SQLite compiled to WebAssembly backed by the Origin Private File System. We’ve published guidance for this migration <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> in our developer blog. Debuggability Planning to add a deprecation message in the console. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? Yes, removal in all Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>? No (Web SQL tested in web_tests <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/storage/websql/>) DevTrial instructions Steps on how to test your site with Web SQL removed. https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing Flag name web-sql-access Requires code in //chrome? False Tracking bug https://crbug.com/695592 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5134293578285056 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ded3bc96-ab03-490d-8991-dbfc6df7bf0bn%40chromium.org.
