Hello all, it's been a while... The bug reports should now be resolved, and we'd like to have another go at this in the M115 milestone. That is: Remain at 50% on beta; starting with 115 ramp up on stable to 1% / 10% / 50% / 100%, every 14d. Let's hope it sticks this time.
Daniel On Fri, Mar 31, 2023 at 3:54 PM Daniel Vogelheim <vogelh...@google.com> wrote: > Hello all, I'm afraid I have to delay this a bit more. :( > > We have a bug report (tracked in crbug.com/1429587) that breaks existing > apps. The important thing here is that it does not break document.domain > setting and subsequent cross-origin access, but that instead -- if the > conditions are just right; or arguably just wrong -- the app can get into a > state where same-origin accesses are mistakenly blocked. Apparently an app > can get into a state where frames within the same page are inconsistently > assigned to agent clusters (i.e., frames in the same origin end up in > different processes), and thus subsequent accesses within that origin may > fail. > > My plan right now is to leave this on at 50% beta, but to not proceed to > any stable releases at any percentage. I'll update this thread when I have > a better handle on the bug and can suggest a good way to proceed. > > On Fri, Jan 20, 2023 at 5:12 PM Eiji Kitamura <agek...@google.com> wrote: > >> FYI, the enterprise bit has been added to the article. >> https://developer.chrome.com/blog/immutable-document-domain/ >> >> On Tue, Jan 17, 2023 at 1:21 AM Brandon Heenan <bhee...@google.com> >> wrote: >> >>> We'll make the update in the enterprise release notes too. Thanks for >>> keeping us in the loop >>> >>> On Mon, Jan 16, 2023 at 9:46 AM Rick Byers <rby...@chromium.org> wrote: >>> >>>> Thanks so much Eiji! >>>> >>>> On Mon, Jan 16, 2023 at 3:06 AM Eiji Kitamura <agek...@google.com> >>>> wrote: >>>> >>>>> I've updated the blog post >>>>> <https://developer.chrome.com/blog/immutable-document-domain/> stating >>>>> Chrome 111 is where we ship the feature, but looks like it's rolling out >>>>> through 111 and 112? >>>>> I'll update the blog post to mention >>>>> `OriginAgentClusterDefaultEnabled` enterprise policy. >>>>> >>>>> >>>>> On Sat, Jan 14, 2023 at 1:37 AM Rick Byers <rby...@chromium.org> >>>>> wrote: >>>>> >>>>>> Thanks for the update Daniel, good luck! >>>>>> >>>>>> In case others, like me, have missed or forgotten the long history of >>>>>> this difficult deprecation and what it means for web developers, this >>>>>> blog >>>>>> post is a good summary >>>>>> <https://developer.chrome.com/blog/immutable-document-domain/>. One >>>>>> critical thing it doesn't mention, but probably should, is that the >>>>>> OriginAgentClusterDefaultEnabled >>>>>> enterprise policy >>>>>> <https://chromeenterprise.google/policies/#OriginAgentClusterDefaultEnabled> >>>>>> can also be used to revert the default on managed devices (though it >>>>>> looks >>>>>> like the launching milestone needs to be updated there too). >>>>>> >>>>>> Rick >>>>>> >>>>>> On Fri, Jan 13, 2023 at 9:53 AM 'Daniel Vogelheim' via blink-dev < >>>>>> blink-dev@chromium.org> wrote: >>>>>> >>>>>>> Hello all, >>>>>>> >>>>>>> We've now handled the bugs we've discovered, and I would like to >>>>>>> make another attempt at launching. I'll follow the plan that was >>>>>>> approved >>>>>>> here, but two milestones later: Launch to 50% beta in M111 (or late >>>>>>> M110, >>>>>>> if I can still catch a bit of that release cycle), and then ramp on >>>>>>> stable >>>>>>> once M112 is out. >>>>>>> >>>>>>> >>>>>>> On Wed, Dec 14, 2022 at 6:36 PM Daniel Vogelheim < >>>>>>> vogelh...@google.com> wrote: >>>>>>> >>>>>>>> Hello all, >>>>>>>> >>>>>>>> An update: Unfortunately we have discovered a bug with this >>>>>>>> feature, just as I was getting ready to enable it. The bug also affects >>>>>>>> pages that have not even set document.domain. Since I have now missed a >>>>>>>> substantial portion of the 109 beta cycle I'd like to delay the roll >>>>>>>> out >>>>>>>> once more, and shift it by one milestone (or two; depending on when >>>>>>>> everything is fixed). >>>>>>>> >>>>>>>> On the positive side: Recently the last of the previously >>>>>>>> identified big document.domain users, that together accounted for >>>>>>>> about 50% >>>>>>>> of remaining usage, has dropped their usage. So current usage is lower >>>>>>>> than >>>>>>>> previously reported. See the usage dip around late November at >>>>>>>> deprecate.it (1st graph). >>>>>>>> >>>>>>>> On Thu, Nov 10, 2022 at 5:42 PM Mike Taylor <miketa...@chromium.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> LGTM3 >>>>>>>>> >>>>>>>>> On 11/10/22 11:18 AM, Chris Harrelson wrote: >>>>>>>>> >>>>>>>>> LGTM2 >>>>>>>>> >>>>>>>>> On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108 >>>>>>>>>> or M109, and carefully roll this out for M110, once it hits stable. >>>>>>>>>> >>>>>>>>>> On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim < >>>>>>>>>> vogelh...@google.com> wrote: >>>>>>>>>> >>>>>>>>>>> On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor < >>>>>>>>>>> miketa...@chromium.org> wrote: >>>>>>>>>>> >>>>>>>>>>>> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello all, >>>>>>>>>>>> >>>>>>>>>>>> The approval for the Intent To Ship for Origin Isolation By >>>>>>>>>>>> Default / Deprecate document.domain >>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>>>>> asks for a separate intent for the actual default change >>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>. >>>>>>>>>>>> This is that separate intent. >>>>>>>>>>>> >>>>>>>>>>>> A summary of what happened so far: >>>>>>>>>>>> >>>>>>>>>>>> - Shipping Origin Isolation by Default (and thereby deprecating >>>>>>>>>>>> document.domain) has security benefits, but compatibility risk. >>>>>>>>>>>> >>>>>>>>>>>> - We added warnings to the developer console and issues panel, >>>>>>>>>>>> published a blog post, and engaged in direct outreach. This has >>>>>>>>>>>> resulted in >>>>>>>>>>>> substantial, measurable reduction of usage. Some sites keep using >>>>>>>>>>>> document.domain, but have mitigated the deprecation with other >>>>>>>>>>>> means. This >>>>>>>>>>>> makes the risk difficult to measure. >>>>>>>>>>>> >>>>>>>>>>>> - Sampling of sites with document.domain usage and manual >>>>>>>>>>>> inspection yields a potential breakage estimate at ~0.015% of page >>>>>>>>>>>> views. >>>>>>>>>>>> >>>>>>>>>>>> What we're asking for here is: >>>>>>>>>>>> >>>>>>>>>>>> - Enable the feature at 50% for beta (+ dev + canary) during >>>>>>>>>>>> M109, as a "last call" for web site authors. >>>>>>>>>>>> >>>>>>>>>>>> This sounds like a good idea. Is there any reason we couldn't >>>>>>>>>>>> go to 50% in M108 as well (or are you trying to avoid breakage >>>>>>>>>>>> over the >>>>>>>>>>>> winter holidays)? >>>>>>>>>>>> >>>>>>>>>>> No reason. I'd be happy to go to beta as soon as I receive the >>>>>>>>>>> lgtms. I had conservatively budgeted that to be 109. :-) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Another question: do we have enterprise policies available for >>>>>>>>>>>> this change? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Yes; the policy is here: OriginAgentClusterDefaultEnabled >>>>>>>>>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from >>>>>>>>>>>> today) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ------------------------ >>>>>>>>>>>> >>>>>>>>>>>> Contact emails v...@chromium.org, vogelh...@chromium.org >>>>>>>>>>>> Specification Explainer: >>>>>>>>>>>> https://github.com/mikewest/deprecating-document-domain HTML >>>>>>>>>>>> Spec draft: >>>>>>>>>>>> https://github.com/whatwg/html/compare/main...otherdaniel:dd >>>>>>>>>>>> API spec Yes >>>>>>>>>>>> Summary >>>>>>>>>>>> >>>>>>>>>>>> This is a follow-on to the Intent to Ship: Origin Isolation By >>>>>>>>>>>> Default / Deprecate document.domain >>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>. >>>>>>>>>>>> We'd >>>>>>>>>>>> like to ship this in M110, stable. >>>>>>>>>>>> >>>>>>>>>>>> Summary (of the underlying change) Change the default behavior >>>>>>>>>>>> of the Origin-Agent-Cluster: header / document.domain settability. >>>>>>>>>>>> Presently, pages within Chromium have site-keyed agent clusters >>>>>>>>>>>> by default, unless the Origin-Agent-Cluster: header is explicitly >>>>>>>>>>>> set to >>>>>>>>>>>> true. This accommodates pages or frames which want to access each >>>>>>>>>>>> other's >>>>>>>>>>>> state, despite being on different origins (but within a site). >>>>>>>>>>>> This is fine >>>>>>>>>>>> for any pages that wish to do so, but because a page *might* set >>>>>>>>>>>> document.domain later on, Chromium currently must use site-keyed >>>>>>>>>>>> agent >>>>>>>>>>>> clusters for *all* pages by default even though the overwhelming >>>>>>>>>>>> majority >>>>>>>>>>>> of pages do not ever make use of this (mis-)feature. In turn, this >>>>>>>>>>>> requires >>>>>>>>>>>> Chromium to use sites as the basis for renderer process isolation >>>>>>>>>>>> (via Site >>>>>>>>>>>> Isolation), which exposes origins to same-site but cross-origin >>>>>>>>>>>> attacks >>>>>>>>>>>> involving compromised renderer processes or the "Spectre" family of >>>>>>>>>>>> side-channel attacks. >>>>>>>>>>>> This proposal changes the default behaviour of >>>>>>>>>>>> Origin-Agent-Cluster. From a developer's point of view, the new >>>>>>>>>>>> default >>>>>>>>>>>> matches "Origin-Agent-Cluster: ?1". The initial implementation >>>>>>>>>>>> will use >>>>>>>>>>>> origin-keyed agent clusters for all (non-opted out) origins, >>>>>>>>>>>> without >>>>>>>>>>>> changing how many processes Chromium creates. Over time, we can >>>>>>>>>>>> then adapt >>>>>>>>>>>> Chromium's isolation strategy towards origin-keyed processes >>>>>>>>>>>> without >>>>>>>>>>>> further affecting web-visible behaviour. >>>>>>>>>>>> The developer-visible aspect of this is that for pages with >>>>>>>>>>>> origin-keyed agent clusters, document.domain is no longer >>>>>>>>>>>> settable. Thus, >>>>>>>>>>>> we have marked this intent as a deprecation. >>>>>>>>>>>> Note that this proposal is about the default. Both modes - >>>>>>>>>>>> site-keyed or origin-keyed agent clusters - remain available to >>>>>>>>>>>> any site, >>>>>>>>>>>> but origin-keyed agent clusters change from opt-in to opt-out. The >>>>>>>>>>>> current >>>>>>>>>>>> behaviour remains available by setting "Origin-Agent-Cluster: ?0". >>>>>>>>>>>> Blink component Blink>SecurityFeature >>>>>>>>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/564 >>>>>>>>>>>> Risks: Interoperability and Compatibility >>>>>>>>>>>> >>>>>>>>>>>> There are compatibility risks, which we have reduced with >>>>>>>>>>>> outreach and warnings, and we want to mitigate further by >>>>>>>>>>>> launching at 50% >>>>>>>>>>>> of beta first. An extended discussion of the risk (including >>>>>>>>>>>> attempts at >>>>>>>>>>>> quantitative assessment) can be found in the original intent >>>>>>>>>>>> to ship >>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/> >>>>>>>>>>>> . >>>>>>>>>>>> >>>>>>>>>>>> Gecko: Standards position request >>>>>>>>>>>> <https://github.com/mozilla/standards-positions/issues/601>. >>>>>>>>>>>> ("Worth prototyping") >>>>>>>>>>>> >>>>>>>>>>>> WebKit: >>>>>>>>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html >>>>>>>>>>>> (No signals.) >>>>>>>>>>>> >>>>>>>>>>>> Web developers: No signals. >>>>>>>>>>>> >>>>>>>>>>>> Activation - Deprecation plan >>>>>>>>>>>> M109: Enable "Origin Agent Cluster by Default" for 50% of page >>>>>>>>>>>> loads on beta, dev, and canary. >>>>>>>>>>>> >>>>>>>>>>>> M110: Enable "Origin Agent Cluster by Default" on stable. >>>>>>>>>>>> Security This change should be security-positive, since >>>>>>>>>>>> setting document.domain will not have any impact on the origin of >>>>>>>>>>>> the >>>>>>>>>>>> document any more. >>>>>>>>>>>> Debuggability A deprecation warning has been added to DevTools >>>>>>>>>>>> console and to the issues panel in M98. This warning will file a >>>>>>>>>>>> deprecation report as well using the Reporting API, if so >>>>>>>>>>>> configured. >>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>>>> Yes >>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>>>> ? This is covered by Origin-keyed Agent Cluster tests >>>>>>>>>>>> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/> >>>>>>>>>>>> . >>>>>>>>>>>> Tracking bug https://crbug.com/1139851 >>>>>>>>>>>> Launch bug https://crbug.com/1246823 >>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>> https://chromestatus.com/feature/5428079583297536 >>>>>>>>>>>> (document.domain setter deprecation) >>>>>>>>>>>> https://chromestatus.com/features/5683766104162304 >>>>>>>>>>>> (Origin-keyed agent clusters) >>>>>>>>>>>> -- >>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>> it, send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com >>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>> . >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>>> To view this discussion on the web visit >>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com >>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Eiji Kitamura / えーじ | Developer Advocate | @agektmr >>>>> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya >>>>> >>>> >> >> -- >> Eiji Kitamura / えーじ | Developer Advocate | @agektmr >> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMFh6J%2B_nODF3Yxu83WMD9WysgbkB%2BS7_i73G%3DJgsTdSw%40mail.gmail.com.