Hello all, it's been a while... The bug reports should now be resolved, and
we'd like to have another go at this in the M115 milestone. That is: Remain
at 50% on beta; starting with 115 ramp up on stable to 1% / 10% / 50% /
100%, every 14d. Let's hope it sticks this time.

Daniel

On Fri, Mar 31, 2023 at 3:54 PM Daniel Vogelheim <vogelh...@google.com>
wrote:

> Hello all, I'm afraid I have to delay this a bit more. :(
>
> We have a bug report (tracked in crbug.com/1429587) that breaks existing
> apps. The important thing here is that it does not break document.domain
> setting and subsequent cross-origin access, but that instead -- if the
> conditions are just right; or arguably just wrong -- the app can get into a
> state where same-origin accesses are mistakenly blocked. Apparently an app
> can get into a state where frames within the same page are inconsistently
> assigned to agent clusters (i.e., frames in the same origin end up in
> different processes), and thus subsequent accesses within that origin may
> fail.
>
> My plan right now is to leave this on at 50% beta, but to not proceed to
> any stable releases at any percentage. I'll update this thread when I have
> a better handle on the bug and can suggest a good way to proceed.
>
> On Fri, Jan 20, 2023 at 5:12 PM Eiji Kitamura <agek...@google.com> wrote:
>
>> FYI, the enterprise bit has been added to the article.
>> https://developer.chrome.com/blog/immutable-document-domain/
>>
>> On Tue, Jan 17, 2023 at 1:21 AM Brandon Heenan <bhee...@google.com>
>> wrote:
>>
>>> We'll make the update in the enterprise release notes too. Thanks for
>>> keeping us in the loop
>>>
>>> On Mon, Jan 16, 2023 at 9:46 AM Rick Byers <rby...@chromium.org> wrote:
>>>
>>>> Thanks so much Eiji!
>>>>
>>>> On Mon, Jan 16, 2023 at 3:06 AM Eiji Kitamura <agek...@google.com>
>>>> wrote:
>>>>
>>>>> I've updated the blog post
>>>>> <https://developer.chrome.com/blog/immutable-document-domain/> stating
>>>>> Chrome 111 is where we ship the feature, but looks like it's rolling out
>>>>> through 111 and 112?
>>>>> I'll update the blog post to mention
>>>>> `OriginAgentClusterDefaultEnabled` enterprise policy.
>>>>>
>>>>>
>>>>> On Sat, Jan 14, 2023 at 1:37 AM Rick Byers <rby...@chromium.org>
>>>>> wrote:
>>>>>
>>>>>> Thanks for the update Daniel, good luck!
>>>>>>
>>>>>> In case others, like me, have missed or forgotten the long history of
>>>>>> this difficult deprecation and what it means for web developers, this 
>>>>>> blog
>>>>>> post is a good summary
>>>>>> <https://developer.chrome.com/blog/immutable-document-domain/>. One
>>>>>> critical thing it doesn't mention, but probably should, is that the 
>>>>>> OriginAgentClusterDefaultEnabled
>>>>>> enterprise policy
>>>>>> <https://chromeenterprise.google/policies/#OriginAgentClusterDefaultEnabled>
>>>>>> can also be used to revert the default on managed devices (though it 
>>>>>> looks
>>>>>> like the launching milestone needs to be updated there too).
>>>>>>
>>>>>> Rick
>>>>>>
>>>>>> On Fri, Jan 13, 2023 at 9:53 AM 'Daniel Vogelheim' via blink-dev <
>>>>>> blink-dev@chromium.org> wrote:
>>>>>>
>>>>>>> Hello all,
>>>>>>>
>>>>>>> We've now handled the bugs we've discovered, and I would like to
>>>>>>> make another attempt at launching. I'll follow the plan that was 
>>>>>>> approved
>>>>>>> here, but two milestones later: Launch to 50% beta in M111 (or late 
>>>>>>> M110,
>>>>>>> if I can still catch a bit of that release cycle), and then ramp on 
>>>>>>> stable
>>>>>>> once M112 is out.
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Dec 14, 2022 at 6:36 PM Daniel Vogelheim <
>>>>>>> vogelh...@google.com> wrote:
>>>>>>>
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>> An update: Unfortunately we have discovered a bug with this
>>>>>>>> feature, just as I was getting ready to enable it. The bug also affects
>>>>>>>> pages that have not even set document.domain. Since I have now missed a
>>>>>>>> substantial portion of the 109 beta cycle I'd like to delay the roll 
>>>>>>>> out
>>>>>>>> once more, and shift it by one milestone (or two; depending on when
>>>>>>>> everything is fixed).
>>>>>>>>
>>>>>>>> On the positive side: Recently the last of the previously
>>>>>>>> identified big document.domain users, that together accounted for 
>>>>>>>> about 50%
>>>>>>>> of remaining usage, has dropped their usage. So current usage is lower 
>>>>>>>> than
>>>>>>>> previously reported. See the usage dip around late November at
>>>>>>>> deprecate.it (1st graph).
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2022 at 5:42 PM Mike Taylor <miketa...@chromium.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> LGTM3
>>>>>>>>>
>>>>>>>>> On 11/10/22 11:18 AM, Chris Harrelson wrote:
>>>>>>>>>
>>>>>>>>> LGTM2
>>>>>>>>>
>>>>>>>>> On Thu, Nov 10, 2022, 4:19 AM Yoav Weiss <yoavwe...@chromium.org>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> LGTM1 to roll this out to 50% of Beta/Dev/Canary for either M108
>>>>>>>>>> or M109, and carefully roll this out for M110, once it hits stable.
>>>>>>>>>>
>>>>>>>>>> On Wed, Nov 9, 2022 at 7:05 PM Daniel Vogelheim <
>>>>>>>>>> vogelh...@google.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> On Wed, Nov 9, 2022 at 6:10 PM Mike Taylor <
>>>>>>>>>>> miketa...@chromium.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>
>>>>>>>>>>>> The approval for the Intent To Ship for Origin Isolation By
>>>>>>>>>>>> Default / Deprecate document.domain
>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>
>>>>>>>>>>>> asks for a separate intent for the actual default change
>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/m/Ybgtf3JfAQAJ>.
>>>>>>>>>>>> This is that separate intent.
>>>>>>>>>>>>
>>>>>>>>>>>> A summary of what happened so far:
>>>>>>>>>>>>
>>>>>>>>>>>> - Shipping Origin Isolation by Default (and thereby deprecating
>>>>>>>>>>>> document.domain) has security benefits, but compatibility risk.
>>>>>>>>>>>>
>>>>>>>>>>>> - We added warnings to the developer console and issues panel,
>>>>>>>>>>>> published a blog post, and engaged in direct outreach. This has 
>>>>>>>>>>>> resulted in
>>>>>>>>>>>> substantial, measurable reduction of usage. Some sites keep using
>>>>>>>>>>>> document.domain, but have mitigated the deprecation with other 
>>>>>>>>>>>> means. This
>>>>>>>>>>>> makes the risk difficult to measure.
>>>>>>>>>>>>
>>>>>>>>>>>> - Sampling of sites with document.domain usage and manual
>>>>>>>>>>>> inspection yields a potential breakage estimate at ~0.015% of page 
>>>>>>>>>>>> views.
>>>>>>>>>>>>
>>>>>>>>>>>> What we're asking for here is:
>>>>>>>>>>>>
>>>>>>>>>>>> - Enable the feature at 50% for beta (+ dev + canary) during
>>>>>>>>>>>> M109, as a "last call" for web site authors.
>>>>>>>>>>>>
>>>>>>>>>>>> This sounds like a good idea. Is there any reason we couldn't
>>>>>>>>>>>> go to 50% in M108 as well (or are you trying to avoid breakage 
>>>>>>>>>>>> over the
>>>>>>>>>>>> winter holidays)?
>>>>>>>>>>>>
>>>>>>>>>>> No reason. I'd be happy to go to beta as soon as I receive the
>>>>>>>>>>> lgtms. I had conservatively budgeted that to be 109. :-)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Another question: do we have enterprise policies available for
>>>>>>>>>>>> this change?
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Yes; the policy is here: OriginAgentClusterDefaultEnabled
>>>>>>>>>>> <https://source.chromium.org/chromium/chromium/src/+/main:components/policy/resources/templates/policy_definitions/Miscellaneous/OriginAgentClusterDefaultEnabled.yaml>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> - Launch on stable on M110. (~ Feb '23, so >12 weeks out from
>>>>>>>>>>>> today)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> Contact emails v...@chromium.org, vogelh...@chromium.org
>>>>>>>>>>>> Specification Explainer:
>>>>>>>>>>>> https://github.com/mikewest/deprecating-document-domain HTML
>>>>>>>>>>>> Spec draft:
>>>>>>>>>>>> https://github.com/whatwg/html/compare/main...otherdaniel:dd
>>>>>>>>>>>> API spec Yes
>>>>>>>>>>>> Summary
>>>>>>>>>>>>
>>>>>>>>>>>> This is a follow-on to the Intent to Ship: Origin Isolation By
>>>>>>>>>>>> Default / Deprecate document.domain
>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>.
>>>>>>>>>>>>  We'd
>>>>>>>>>>>> like to ship this in M110, stable.
>>>>>>>>>>>>
>>>>>>>>>>>> Summary (of the underlying change) Change the default behavior
>>>>>>>>>>>> of the Origin-Agent-Cluster: header / document.domain settability.
>>>>>>>>>>>> Presently, pages within Chromium have site-keyed agent clusters
>>>>>>>>>>>> by default, unless the Origin-Agent-Cluster: header is explicitly 
>>>>>>>>>>>> set to
>>>>>>>>>>>> true. This accommodates pages or frames which want to access each 
>>>>>>>>>>>> other's
>>>>>>>>>>>> state, despite being on different origins (but within a site). 
>>>>>>>>>>>> This is fine
>>>>>>>>>>>> for any pages that wish to do so, but because a page *might* set
>>>>>>>>>>>> document.domain later on, Chromium currently must use site-keyed 
>>>>>>>>>>>> agent
>>>>>>>>>>>> clusters for *all* pages by default even though the overwhelming 
>>>>>>>>>>>> majority
>>>>>>>>>>>> of pages do not ever make use of this (mis-)feature. In turn, this 
>>>>>>>>>>>> requires
>>>>>>>>>>>> Chromium to use sites as the basis for renderer process isolation 
>>>>>>>>>>>> (via Site
>>>>>>>>>>>> Isolation), which exposes origins to same-site but cross-origin 
>>>>>>>>>>>> attacks
>>>>>>>>>>>> involving compromised renderer processes or the "Spectre" family of
>>>>>>>>>>>> side-channel attacks.
>>>>>>>>>>>> This proposal changes the default behaviour of
>>>>>>>>>>>> Origin-Agent-Cluster. From a developer's point of view, the new 
>>>>>>>>>>>> default
>>>>>>>>>>>> matches "Origin-Agent-Cluster: ?1". The initial implementation 
>>>>>>>>>>>> will use
>>>>>>>>>>>> origin-keyed agent clusters for all (non-opted out) origins, 
>>>>>>>>>>>> without
>>>>>>>>>>>> changing how many processes Chromium creates. Over time, we can 
>>>>>>>>>>>> then adapt
>>>>>>>>>>>> Chromium's isolation strategy towards origin-keyed processes 
>>>>>>>>>>>> without
>>>>>>>>>>>> further affecting web-visible behaviour.
>>>>>>>>>>>> The developer-visible aspect of this is that for pages with
>>>>>>>>>>>> origin-keyed agent clusters, document.domain is no longer 
>>>>>>>>>>>> settable. Thus,
>>>>>>>>>>>> we have marked this intent as a deprecation.
>>>>>>>>>>>> Note that this proposal is about the default. Both modes -
>>>>>>>>>>>> site-keyed or origin-keyed agent clusters - remain available to 
>>>>>>>>>>>> any site,
>>>>>>>>>>>> but origin-keyed agent clusters change from opt-in to opt-out. The 
>>>>>>>>>>>> current
>>>>>>>>>>>> behaviour remains available by setting "Origin-Agent-Cluster: ?0".
>>>>>>>>>>>> Blink component Blink>SecurityFeature
>>>>>>>>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/564
>>>>>>>>>>>> Risks: Interoperability and Compatibility
>>>>>>>>>>>>
>>>>>>>>>>>> There are compatibility risks, which we have reduced with
>>>>>>>>>>>> outreach and warnings, and we want to mitigate further by 
>>>>>>>>>>>> launching at 50%
>>>>>>>>>>>> of beta first. An extended discussion of the risk (including 
>>>>>>>>>>>> attempts at
>>>>>>>>>>>> quantitative assessment) can be found in the original intent
>>>>>>>>>>>> to ship
>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_oRc19PjpFo/>
>>>>>>>>>>>> .
>>>>>>>>>>>>
>>>>>>>>>>>> Gecko: Standards position request
>>>>>>>>>>>> <https://github.com/mozilla/standards-positions/issues/601>.
>>>>>>>>>>>> ("Worth prototyping")
>>>>>>>>>>>>
>>>>>>>>>>>> WebKit:
>>>>>>>>>>>> https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html
>>>>>>>>>>>> (No signals.)
>>>>>>>>>>>>
>>>>>>>>>>>> Web developers: No signals.
>>>>>>>>>>>>
>>>>>>>>>>>> Activation - Deprecation plan
>>>>>>>>>>>> M109: Enable "Origin Agent Cluster by Default" for 50% of page
>>>>>>>>>>>> loads on beta, dev, and canary.
>>>>>>>>>>>>
>>>>>>>>>>>> M110: Enable "Origin Agent Cluster by Default" on stable.
>>>>>>>>>>>>   Security This change should be security-positive, since
>>>>>>>>>>>> setting document.domain will not have any impact on the origin of 
>>>>>>>>>>>> the
>>>>>>>>>>>> document any more.
>>>>>>>>>>>> Debuggability A deprecation warning has been added to DevTools
>>>>>>>>>>>> console and to the issues panel in M98. This warning will file a
>>>>>>>>>>>> deprecation report as well using the Reporting API, if so 
>>>>>>>>>>>> configured.
>>>>>>>>>>>> Will this feature be supported on all six Blink platforms
>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
>>>>>>>>>>>> Yes
>>>>>>>>>>>> Is this feature fully tested by web-platform-tests
>>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>
>>>>>>>>>>>> ? This is covered by Origin-keyed Agent Cluster tests
>>>>>>>>>>>> <https://wpt.live/html/browsers/origin/origin-keyed-agent-clusters/>
>>>>>>>>>>>> .
>>>>>>>>>>>> Tracking bug https://crbug.com/1139851
>>>>>>>>>>>> Launch bug https://crbug.com/1246823
>>>>>>>>>>>> Link to entry on the Chrome Platform Status
>>>>>>>>>>>> https://chromestatus.com/feature/5428079583297536
>>>>>>>>>>>> (document.domain setter deprecation)
>>>>>>>>>>>> https://chromestatus.com/features/5683766104162304
>>>>>>>>>>>> (Origin-keyed agent clusters)
>>>>>>>>>>>> --
>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>> Google Groups "blink-dev" group.
>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from
>>>>>>>>>>>> it, send an email to blink-dev+unsubscr...@chromium.org.
>>>>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com
>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>> .
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>> Google Groups "blink-dev" group.
>>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>>> send an email to blink-dev+unsubscr...@chromium.org.
>>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com
>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "blink-dev" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to blink-dev+unsubscr...@chromium.org.
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com
>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Eiji Kitamura / えーじ | Developer Advocate | @agektmr
>>>>> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya
>>>>>
>>>>
>>
>> --
>> Eiji Kitamura / えーじ | Developer Advocate | @agektmr
>> <https://twitter.com/agektmr> | Office Location: Tokyo Shibuya
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMFh6J%2B_nODF3Yxu83WMD9WysgbkB%2BS7_i73G%3DJgsTdSw%40mail.gmail.com.

Reply via email to