Hi all, Thanks for communicating the plans for this removal with this additional information.
However, we still have two questions about this: - Does it mean that in M119 WebSQL will not be working by default, but it will still be possible to enable it back with this configuration setting? Would this be the case until M123? - Would it be possible to be more precise in terms of dates? Or is still too early for this? Thanks a lot! On Wednesday, May 3, 2023 at 7:08:22 PM UTC+2 Thomas Steiner wrote: > Here's the PR that updates the removal timeline for the developer-facing > article: https://github.com/GoogleChrome/developer.chrome.com/pull/6187. > > On Wed, May 3, 2023 at 11:46 AM Ayu Ishii <ay...@chromium.org> wrote: > >> Thank you for the review & approvals! >> We will update the thread if there are changes to the timeline. >> >> Best, >> Ayu >> >> On Wednesday, May 3, 2023 at 8:40:35 AM UTC-7 Mike West wrote: >> > LGTM3. Good luck with the launch, I've been excited about this for a while >>> and I'm looking forward to reducing our attack surface. >>> >>> -mike >>> >>> >>> On Wed, May 3, 2023 at 3:21 PM Mike Taylor <mike...@chromium.org> wrote: >>> >> LGTM2 - kudos to the team for the very detailed compat and risk analysis, >>>> as well as proactively engaging in outreach. Good luck. :) >>>> On 5/3/23 6:59 AM, Yoav Weiss wrote: >>>> >>> LGTM1 >>>> >>>> Thanks for the details analysis. The rollout plan seems reasonable, and >>>> the low effective breakage gives me hope that this would stick. >>>> >>>> On Friday, April 28, 2023 at 10:26:20 PM UTC+2 Ayu Ishii wrote: >>>> >>>>> Contact emails ay...@chromium.org, mo...@chromium.org >>>>> Specification https://www.w3.org/TR/webdatabase >>>>> Design docs >>>>> https://developer.chrome.com/blog/deprecating-web-sql >>>>> >>>>> [Google Internal] >>>>> https://docs.google.com/document/d/1bTj_nDqbdvE102sCm3KuwvN5c_HneLNPl9mmPeUjG4M/edit?usp=sharing >>>>> [Google Internal] >>>>> https://docs.google.com/document/d/1CDdEO65pCIo60NM8CWHNNN7EunJ-wd8v1dGUxTOBJrM/edit?resourcekey=0-R0fxP199QQ-8gnMqzmQyrw >>>>> >>>>> Summary The Web SQL Database standard was first proposed in April >>>>> 2009 and abandoned in November 2010. It was implemented in WebKit in 2008 >>>>> and shipped in Chrome and Safari, on both desktop and mobile. Gecko and >>>>> EdgeHTML never implemented this feature and WebKit unshipped it in 2019. >>>>> The W3C encouraged those needing web databases to adopt Indexed Database. >>>>> Since its release, it has been incredibly difficult to keep our users >>>>> secure. SQLite was not designed to run untrusted SQL statements, and yet >>>>> with Web SQL we have to do exactly this. Keeping up with security and >>>>> stability fixes dictates updating SQLite in Chromium and impacts the >>>>> feature’s stability. In 2022 alone, we updated SQLite 11 times. This >>>>> comes >>>>> in direct conflict with Web SQL’s requirement of behaving exactly as >>>>> SQLite >>>>> 3.6.19, and with the lack of a SQL specification in Web SQL, we cannot >>>>> make >>>>> any such compatibility guarantees. >>>>> With SQLite WASM >>>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>>> >>>>> as an effective replacement for web developers requiring a relational >>>>> database, we would like to remove Web SQL entirely. >>>>> >>>>> Target timeline >>>>> >>>>> M101 - 123 - Enterprise Policy >>>>> <https://chromeenterprise.google/policies/#WebSQLAccess> >>>>> >>>>> M115 - Add deprecation message >>>>> >>>>> M118-123 - Deprecation trial >>>>> >>>>> M119 - Ship removal >>>>> >>>>> Usage and Risk >>>>> >>>>> Overall usage still shows a high percentage of 0.34% of page loads >>>>> <https://chromestatus.com/metrics/feature/timeline/popularity/2962>, >>>>> however our analysis has concluded that very little usage is for actual >>>>> storage. >>>>> >>>>> Through analyzing sites from HTTPArchives, we found a majority of its >>>>> usage is from outdated incognito detection >>>>> <https://stackoverflow.com/questions/48169810/how-to-detect-private-browsing-in-ios-11-safari-as-well-as-older-versions-of-sa> >>>>> >>>>> (e.g. Criteo <https://static.criteo.net/js/ld/ld.js>, Reddit >>>>> <https://gist.github.com/ayuishii/b64b9c41152940089f8ac480f82d4e3e>), >>>>> and fingerprinting (e.g. Fingerprintjs >>>>> <https://github.com/fingerprintjs/fingerprintjs>, evercookie >>>>> <https://github.com/samyk/evercookie>). >>>>> >>>>> There are JS storage libraries that became popular around the time >>>>> that Web SQL was introduced which use the feature. Oftentimes their usage >>>>> is part of a fallback chain, where on modern browsers other storage >>>>> technologies like localStorage or IndexedDB would be chosen before Web >>>>> SQL. >>>>> Examples of such libraries are localForage >>>>> <https://github.com/localForage/localForage>, cordova-sqlite-storage >>>>> <https://github.com/storesafe/cordova-sqlite-storage>, Sencha Touch >>>>> <https://docs.sencha.com/touch/2.4/2.4.2-apidocs/#!/api/Ext.data.proxy.Sql>. >>>>> >>>>> Many, like localForage and cordova-sqlite-storage, gate its usage on >>>>> feature detection due to its availability only on Chromium browsers. >>>>> However older versions of Sencha Touch look as though they may not have >>>>> been gated. Sencha Touch has since removed its SQL feature which depends >>>>> on >>>>> Web SQL in their version released in 2015 >>>>> <https://docs.sencha.com/extjs/6.0.0/guides/upgrades_migrations/modern_upgrade_guide.html#upgrades_migrations-_-modern_upgrade_guide_-_ext_data_proxy_sql_has_been_removed> >>>>> . >>>>> >>>>> Our conclusion from our HTTPArchives analysis >>>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.tmke6f1n07cr> >>>>> >>>>> is that we were only able to identify one site that is not gated by >>>>> feature >>>>> detection, and one site with significant breakage. We’ve notified open >>>>> source libraries of Web SQL deprecation, and plan to reach out to site >>>>> owners we’ve classified as breakage. >>>>> >>>>> Analyzing extensions usage, we’ve identified 74% of extensions that >>>>> use Web SQL >>>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.rxdibl42y942> >>>>> >>>>> are from JS storage libraries like localForage >>>>> <https://github.com/localForage/localForage> and >>>>> cordova-sqlite-storage >>>>> <https://github.com/storesafe/cordova-sqlite-storage>. However there >>>>> were a higher number of usages that rely on Web SQL heavily >>>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.hrkiilgxtp1y>, >>>>> >>>>> and many that are not gated by feature detection >>>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.vw9prsbuovyq> >>>>> >>>>> as well. We have identified these extensions and plan to contact the >>>>> developers on this deprecation. >>>>> >>>>> Further analysis for the web platform and extensions can be found in >>>>> our public facing Web SQL usage analysis doc >>>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit?usp=sharing> >>>>> . >>>>> >>>>> For those that would need to migrate, we expect a significant amount >>>>> of work will be required. Therefore we would like to show deprecation >>>>> messages early, and make a long deprecation trial available to allow >>>>> developers to plan for their migration before full removal. We’ve >>>>> provided steps >>>>> for testing Web SQL removal for a website >>>>> <https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing>, >>>>> >>>>> and a guide to SQLite WASM >>>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>>> >>>>> and for migrating a database >>>>> <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> for >>>>> developers to follow to start their migration. >>>>> >>>>> Communications >>>>> >>>>> What we’ve done so far: >>>>> >>>>> - >>>>> >>>>> Worked with internal partners to move major products off of Web >>>>> SQL (Completed in 2022) >>>>> - >>>>> >>>>> Communicated to edu/enterprise partners of its planned removal >>>>> (Aug, 2022) >>>>> - >>>>> >>>>> No usages found from this process >>>>> - >>>>> >>>>> Communicated with known external partners using Web SQL on its >>>>> planned removal >>>>> - >>>>> >>>>> All on board with migrating to WASM + SQLite >>>>> - >>>>> >>>>> Published an article on the state of Web SQL and its deprecation >>>>> <https://developer.chrome.com/blog/deprecating-web-sql/> (Aug, >>>>> 2022) >>>>> - >>>>> >>>>> Published an article on its recommended replacement, SQLite WASM >>>>> >>>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>>> >>>>> (Jan, 2023) >>>>> - >>>>> >>>>> Removed Web SQL in third party contexts in M97 >>>>> - >>>>> >>>>> Removed Web SQL in non-secure contexts in M110 >>>>> - >>>>> >>>>> Published an article for migrating a database from Web SQL to >>>>> SQLite Wasm >>>>> <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> >>>>> (Mar, 2023) >>>>> - >>>>> >>>>> [InProgress] Communicate to identified developers in extensions / >>>>> HTTPArchives usage >>>>> >>>>> >>>>> Related Intents >>>>> >>>>> Intent to Deprecate and Remove Web SQL in 3rd Party Contexts >>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/TM6YDx1Hh08> >>>>> >>>>> Intent to Deprecate and Remove Web SQL in Non-Secure contexts >>>>> <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/xdcl4yc8Ihk> >>>>> >>>>> Blink component Blink>Storage>Web SQL >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3EWebSQL> >>>>> Search tags Web SQL <https://chromestatus.com/features#tags:websql> >>>>> Risks >>>>> Interoperability and Compatibility Removing Web SQL will align >>>>> Chromium based browser behavior to all other browser engines. Currently >>>>> Chromium is the only browser engine that supports Web SQL. Because of >>>>> this, >>>>> most websites gate the usage of Web SQL by feature detection. >>>>> Gecko: N/A Never implemented >>>>> WebKit: Unshipped ( >>>>> https://github.com/WebKit/WebKit/commit/761bce943c0696a6bb93116eb0576ed07dbfdc65) >>>>> >>>>> Removed in 2019 >>>>> Web developers: N/A >>>>> >>>>> Security Currently SQLite in Chromium is updated very frequently, >>>>> sometimes in multiple consecutive milestones. The frequency is defined by >>>>> stability or security issues found in the SQLite library. Bad security >>>>> issues have historically surfaced such as Magellan 2.0 >>>>> <https://threatpost.com/google-chrome-affected-by-magellan-2-0-flaws/151446/> >>>>> >>>>> that had been publicized in tech news in 2019, among others.The storage >>>>> team needs to respond quickly to these issues, and update the library >>>>> when >>>>> issues are found with help from the SQLite team and Release and Security >>>>> TPMs. >>>>> Removing Web SQL will permanently remove the attack vector of >>>>> malicious SQL statements. >>>>> WebView application risks While we see a 0.02% usage on WebView, we >>>>> are unable to verify the nature of this usage. However now that >>>>> Deprecation >>>>> Trials are supported for WebView, we think the risk of removal is >>>>> significantly reduced. >>>>> Goals for Deprecation Trial >>>>> >>>>> The goal for the deprecation trial is to allow for a 6 month window >>>>> after removal to let developers remove their usage of Web SQL. We may >>>>> extend this window depending on feedback from participating developers. >>>>> Our >>>>> recommendation is for developers to switch to SQLite compiled to >>>>> WebAssembly backed by the Origin Private File System. We’ve published >>>>> guidance >>>>> for this migration >>>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>>> >>>>> in our developer blog. >>>>> >>>>> Debuggability Planning to add a deprecation message in the console. >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? Yes, removal in >>>>> all >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>? >>>>> >>>>> No (Web SQL tested in web_tests >>>>> <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/storage/websql/>) >>>>> >>>>> >>>>> DevTrial instructions Steps on how to test your site with Web SQL >>>>> removed. >>>>> https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing >>>>> >>>>> Flag name web-sql-access >>>>> Requires code in //chrome? False >>>>> Tracking bug https://crbug.com/695592 >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5134293578285056 >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+...@chromium.org. >>>> >>>> >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> >>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+...@chromium.org. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b2ba1236-353a-7492-9bbe-5ce92b15d070%40chromium.org >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b2ba1236-353a-7492-9bbe-5ce92b15d070%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> > You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f1b57ff4-7b66-4587-a57a-fda643c8073fn%40chromium.org >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f1b57ff4-7b66-4587-a57a-fda643c8073fn%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > > > -- > Thomas Steiner, PhD—Developer Relations Engineer (https://blog.tomayac.com > , https://twitter.com/tomayac) > > Google Germany GmbH, ABC-Str. 19, 20354 Hamburg, Germany > Geschäftsführer: Paul Manicle, Liana Sebastian > Registergericht und -nummer: Hamburg, HRB 86891 > > ----- BEGIN PGP SIGNATURE ----- > Version: GnuPG v2.3.4 (GNU/Linux) > > > iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck0fjumBl3DCharaCTersAttH3b0ttom. > hTtPs://xKcd.cOm/1181/ > ----- END PGP SIGNATURE ----- > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/367ef512-9760-4ecf-8c56-1cb7e0f8cb1an%40chromium.org.
