Thank you for the review & approvals! We will update the thread if there are changes to the timeline.
Best, Ayu On Wednesday, May 3, 2023 at 8:40:35 AM UTC-7 Mike West wrote: > LGTM3. Good luck with the launch, I've been excited about this for a while > and I'm looking forward to reducing our attack surface. > > -mike > > > On Wed, May 3, 2023 at 3:21 PM Mike Taylor <miketa...@chromium.org> wrote: > >> LGTM2 - kudos to the team for the very detailed compat and risk analysis, >> as well as proactively engaging in outreach. Good luck. :) >> On 5/3/23 6:59 AM, Yoav Weiss wrote: >> >> LGTM1 >> >> Thanks for the details analysis. The rollout plan seems reasonable, and >> the low effective breakage gives me hope that this would stick. >> >> On Friday, April 28, 2023 at 10:26:20 PM UTC+2 Ayu Ishii wrote: >> >>> Contact emails a...@chromium.org, mo...@chromium.org >>> Specification https://www.w3.org/TR/webdatabase >>> Design docs >>> https://developer.chrome.com/blog/deprecating-web-sql >>> >>> [Google Internal] >>> https://docs.google.com/document/d/1bTj_nDqbdvE102sCm3KuwvN5c_HneLNPl9mmPeUjG4M/edit?usp=sharing >>> [Google Internal] >>> https://docs.google.com/document/d/1CDdEO65pCIo60NM8CWHNNN7EunJ-wd8v1dGUxTOBJrM/edit?resourcekey=0-R0fxP199QQ-8gnMqzmQyrw >>> >>> Summary The Web SQL Database standard was first proposed in April 2009 >>> and abandoned in November 2010. It was implemented in WebKit in 2008 and >>> shipped in Chrome and Safari, on both desktop and mobile. Gecko and >>> EdgeHTML never implemented this feature and WebKit unshipped it in 2019. >>> The W3C encouraged those needing web databases to adopt Indexed Database. >>> Since its release, it has been incredibly difficult to keep our users >>> secure. SQLite was not designed to run untrusted SQL statements, and yet >>> with Web SQL we have to do exactly this. Keeping up with security and >>> stability fixes dictates updating SQLite in Chromium and impacts the >>> feature’s stability. In 2022 alone, we updated SQLite 11 times. This comes >>> in direct conflict with Web SQL’s requirement of behaving exactly as SQLite >>> 3.6.19, and with the lack of a SQL specification in Web SQL, we cannot make >>> any such compatibility guarantees. >>> With SQLite WASM >>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>> >>> as an effective replacement for web developers requiring a relational >>> database, we would like to remove Web SQL entirely. >>> >>> Target timeline >>> >>> M101 - 123 - Enterprise Policy >>> <https://chromeenterprise.google/policies/#WebSQLAccess> >>> >>> M115 - Add deprecation message >>> >>> M118-123 - Deprecation trial >>> >>> M119 - Ship removal >>> >>> Usage and Risk >>> >>> Overall usage still shows a high percentage of 0.34% of page loads >>> <https://chromestatus.com/metrics/feature/timeline/popularity/2962>, >>> however our analysis has concluded that very little usage is for actual >>> storage. >>> >>> Through analyzing sites from HTTPArchives, we found a majority of its >>> usage is from outdated incognito detection >>> <https://stackoverflow.com/questions/48169810/how-to-detect-private-browsing-in-ios-11-safari-as-well-as-older-versions-of-sa> >>> >>> (e.g. Criteo <https://static.criteo.net/js/ld/ld.js>, Reddit >>> <https://gist.github.com/ayuishii/b64b9c41152940089f8ac480f82d4e3e>), >>> and fingerprinting (e.g. Fingerprintjs >>> <https://github.com/fingerprintjs/fingerprintjs>, evercookie >>> <https://github.com/samyk/evercookie>). >>> >>> There are JS storage libraries that became popular around the time that >>> Web SQL was introduced which use the feature. Oftentimes their usage is >>> part of a fallback chain, where on modern browsers other storage >>> technologies like localStorage or IndexedDB would be chosen before Web SQL. >>> Examples of such libraries are localForage >>> <https://github.com/localForage/localForage>, cordova-sqlite-storage >>> <https://github.com/storesafe/cordova-sqlite-storage>, Sencha Touch >>> <https://docs.sencha.com/touch/2.4/2.4.2-apidocs/#!/api/Ext.data.proxy.Sql>. >>> >>> Many, like localForage and cordova-sqlite-storage, gate its usage on >>> feature detection due to its availability only on Chromium browsers. >>> However older versions of Sencha Touch look as though they may not have >>> been gated. Sencha Touch has since removed its SQL feature which depends on >>> Web SQL in their version released in 2015 >>> <https://docs.sencha.com/extjs/6.0.0/guides/upgrades_migrations/modern_upgrade_guide.html#upgrades_migrations-_-modern_upgrade_guide_-_ext_data_proxy_sql_has_been_removed> >>> . >>> >>> Our conclusion from our HTTPArchives analysis >>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.tmke6f1n07cr> >>> >>> is that we were only able to identify one site that is not gated by feature >>> detection, and one site with significant breakage. We’ve notified open >>> source libraries of Web SQL deprecation, and plan to reach out to site >>> owners we’ve classified as breakage. >>> >>> Analyzing extensions usage, we’ve identified 74% of extensions that use >>> Web SQL >>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.rxdibl42y942> >>> >>> are from JS storage libraries like localForage >>> <https://github.com/localForage/localForage> and cordova-sqlite-storage >>> <https://github.com/storesafe/cordova-sqlite-storage>. However there >>> were a higher number of usages that rely on Web SQL heavily >>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.hrkiilgxtp1y>, >>> >>> and many that are not gated by feature detection >>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.vw9prsbuovyq> >>> >>> as well. We have identified these extensions and plan to contact the >>> developers on this deprecation. >>> >>> Further analysis for the web platform and extensions can be found in our >>> public facing Web SQL usage analysis doc >>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit?usp=sharing> >>> . >>> >>> For those that would need to migrate, we expect a significant amount of >>> work will be required. Therefore we would like to show deprecation messages >>> early, and make a long deprecation trial available to allow developers to >>> plan for their migration before full removal. We’ve provided steps for >>> testing Web SQL removal for a website >>> <https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing>, >>> >>> and a guide to SQLite WASM >>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>> >>> and for migrating a database >>> <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> for >>> developers to follow to start their migration. >>> >>> Communications >>> >>> What we’ve done so far: >>> >>> - >>> >>> Worked with internal partners to move major products off of Web SQL >>> (Completed in 2022) >>> - >>> >>> Communicated to edu/enterprise partners of its planned removal (Aug, >>> 2022) >>> - >>> >>> No usages found from this process >>> - >>> >>> Communicated with known external partners using Web SQL on its >>> planned removal >>> - >>> >>> All on board with migrating to WASM + SQLite >>> - >>> >>> Published an article on the state of Web SQL and its deprecation >>> <https://developer.chrome.com/blog/deprecating-web-sql/> (Aug, 2022) >>> - >>> >>> Published an article on its recommended replacement, SQLite WASM >>> >>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>> >>> (Jan, 2023) >>> - >>> >>> Removed Web SQL in third party contexts in M97 >>> - >>> >>> Removed Web SQL in non-secure contexts in M110 >>> - >>> >>> Published an article for migrating a database from Web SQL to SQLite >>> Wasm <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> >>> (Mar, 2023) >>> - >>> >>> [InProgress] Communicate to identified developers in extensions / >>> HTTPArchives usage >>> >>> >>> Related Intents >>> >>> Intent to Deprecate and Remove Web SQL in 3rd Party Contexts >>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/TM6YDx1Hh08> >>> >>> Intent to Deprecate and Remove Web SQL in Non-Secure contexts >>> <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/xdcl4yc8Ihk> >>> >>> Blink component Blink>Storage>Web SQL >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3EWebSQL> >>> Search tags Web SQL <https://chromestatus.com/features#tags:websql> >>> Risks >>> Interoperability and Compatibility Removing Web SQL will align Chromium >>> based browser behavior to all other browser engines. Currently Chromium is >>> the only browser engine that supports Web SQL. Because of this, most >>> websites gate the usage of Web SQL by feature detection. >>> Gecko: N/A Never implemented >>> WebKit: Unshipped ( >>> https://github.com/WebKit/WebKit/commit/761bce943c0696a6bb93116eb0576ed07dbfdc65) >>> >>> Removed in 2019 >>> Web developers: N/A >>> >>> Security Currently SQLite in Chromium is updated very frequently, >>> sometimes in multiple consecutive milestones. The frequency is defined by >>> stability or security issues found in the SQLite library. Bad security >>> issues have historically surfaced such as Magellan 2.0 >>> <https://threatpost.com/google-chrome-affected-by-magellan-2-0-flaws/151446/> >>> >>> that had been publicized in tech news in 2019, among others.The storage >>> team needs to respond quickly to these issues, and update the library when >>> issues are found with help from the SQLite team and Release and Security >>> TPMs. >>> Removing Web SQL will permanently remove the attack vector of malicious >>> SQL statements. >>> WebView application risks While we see a 0.02% usage on WebView, we are >>> unable to verify the nature of this usage. However now that Deprecation >>> Trials are supported for WebView, we think the risk of removal is >>> significantly reduced. >>> Goals for Deprecation Trial >>> >>> The goal for the deprecation trial is to allow for a 6 month window >>> after removal to let developers remove their usage of Web SQL. We may >>> extend this window depending on feedback from participating developers. Our >>> recommendation is for developers to switch to SQLite compiled to >>> WebAssembly backed by the Origin Private File System. We’ve published >>> guidance >>> for this migration >>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>> >>> in our developer blog. >>> >>> Debuggability Planning to add a deprecation message in the console. >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)? Yes, removal in all >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>? >>> >>> No (Web SQL tested in web_tests >>> <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/storage/websql/>) >>> >>> >>> DevTrial instructions Steps on how to test your site with Web SQL >>> removed. >>> https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing >>> >>> Flag name web-sql-access >>> Requires code in //chrome? False >>> Tracking bug https://crbug.com/695592 >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5134293578285056 >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> > To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b2ba1236-353a-7492-9bbe-5ce92b15d070%40chromium.org >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b2ba1236-353a-7492-9bbe-5ce92b15d070%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f1b57ff4-7b66-4587-a57a-fda643c8073fn%40chromium.org.
