LGTM1
On Thu, Feb 15, 2024 at 9:51 AM 'Yifan Luo' via blink-dev
<[email protected]> wrote:
OT findings:
https://docs.google.com/spreadsheets/d/15b2kCikEqw6P0xZFXQKMiKk_WnqnIZpT5p8nmLgc93Y/edit?usp=sharing
There are 7 OT users and most of them (6/7) mentioned they will
keep using this new feature.
We aimed to use this feature to make it possible for developers to
drop the non-secure context deprecation trial,
<https://developer.chrome.com/origintrials/#/view_trial/4081387162304512001>
which currently got 1000+ registrations:
https://docs.google.com/spreadsheets/d/1yTjZs3yvTFwn0SupdBmzZiOQ_A3Auvg_Qrp3DwOKBNw/edit?pli=1#gid=369270489
RFPs: This feature is a sub-feature of Private Network Access
<https://github.com/WICG/private-network-access>: filled in the
previous RFP of PNA.
Flag: Sorry for the missing, there's a finch flag
"PrivateNetworkAccessPermissionPrompt"
On Tuesday, February 13, 2024 at 5:02:38 PM UTC+1 Yifan Luo wrote:
Contact [email protected], [email protected],
[email protected]
Explainerhttps://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
I had a minor concern
<https://github.com/WICG/private-network-access/issues/128> after
reading the explainer about the lack of a preflight and opt-in
requirement. Turns out that those are already required as part of the
broader PNA feature.
Specificationhttps://wicg.github.io/private-network-access
Design docs
https://docs.google.com/document/d/1Q18g4fZoDIYQ9IuxlZTaItgkzfiz_tCqaEAI8J3Y1WY/edit
https://github.com/WICG/private-network-access/blob/main/permission_prompt/security_privacy_self_review.md
Summary
In order to establish connections to devices on a local
network that do not have globally unique names, and therefore
cannot obtain TLS certificates, this feature introduces a new
option to `fetch()` to declare a developers' intent to talk to
such a device, a new policy-controlled feature to gate each
sites' access to this capability, and new headers for the
server's preflight response to provide additional metadata.
Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
TAG reviewhttps://github.com/w3ctag/design-reviews/issues/751
TAG review statusIssues addressed
Chromium Trial NamePrivateNetworkAccessPermissionPrompt
Origin Trial documentation
linkhttps://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
WebFeature UseCounter namekPrivateNetworkAccessPermissionPrompt
Risks
Interoperability and Compatibility
/Gecko/: Positive
(https://github.com/mozilla/standards-positions/issues/143)
Worth prototyping.
/WebKit/: Positive
(https://github.com/WebKit/standards-positions/issues/163)
/Web developers/: Positive
(https://github.com/WICG/private-network-access/issues/23)
/Other signals/:
Ergonomics
This new feature requires users to click on the new
permission. This may lead users to spamming on some websites.
However, this is an intentional move to encourage the websites
to provide security context. The origin trial also aimed to
measure the frequency of users getting the permissions.
Activation
No. This feature attempt to bring developers an easier way to
restrict Private Network Access with secure context.
Security
This is a security positive feature.
WebView application risks
Does this intent deprecate or change behavior of existing
APIs, such that it has potentially high risk for Android
WebView-based applications?
None
Debuggability
Relevant information (client and resource IP address space) is
already piped into the DevTools network panel. We’ll likely
also represent the permission state in the settings pages.
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?No
Mac, Windows, Linux, Chrome OS, Fuchsia, Android, WebLayer.
Not Android WebView because of the absence of deprecation
trial integration (though that may be changing soon, see
https://crbug.com/1308425). Not iOS because this requires
changes in Blink and the network service, neither of which are
used on iOS.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?No
https://wpt.fyi/results/fetch/private-network-access/mixed-content-fetch.tentative.https.window.html?label=master&label=experimental&aligned&q=private-network-access
<https://wpt.fyi/results/fetch/private-network-access/mixed-content-fetch.tentative.https.window.html?label=master&label=experimental&aligned&q=private-network-access>
Flag name on
chrome://flags#private-network-access-permission-prompt
Finch feature namePrivateNetworkAccessPermissionPrompt
Requires code in //chrome?True
Tracking bughttps://crbug.com/1338439
Sample links
https://drive.google.com/file/d/1pnyQfIsXdtJnZoCBVSt4xim0yXjZ0Aqc/view?usp=sharing
Estimated milestones
Shipping on desktop
123
OriginTrial desktop last
122
OriginTrial desktop first
120
DevTrial on desktop
120
Anticipated spec changes
Open questions about a feature may be a source of future web
compat or interop issues. Please list open issues (e.g. links
to known github issues in the project for the feature
specification) whose resolution may introduce web
compat/interop risk (e.g., changing to naming or structure of
the API in a non-backward-compatible way).
None
Link to entry on the Chrome Platform
Statushttps://chromestatus.com/feature/5954091755241472
Links to previous Intent discussionsIntent to prototype:
https://groups.google.com/a/chromium.org/g/blink-dev/c/6MczoSFGiHo/m/IigYuhu7AwAJ
Intent
to Experiment:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU_ZS1ibT9H7e5UmoUF2OfCUq5ocsDHaCoJ2rShmPmAejQ%40mail.gmail.com
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
On Friday, January 26, 2024 at 6:34:49 PM UTC+1 Vladimir Levin
wrote:
On Fri, Jan 26, 2024 at 5:07 AM 'Yifan Luo' via blink-dev
<[email protected]> wrote:
Contact emails
[email protected], [email protected]
Explainer
https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
Specification
https://wicg.github.io/private-network-access
Design docs
https://docs.google.com/document/d/1Q18g4fZoDIYQ9IuxlZTaItgkzfiz_tCqaEAI8J3Y1WY/edit
https://github.com/WICG/private-network-access/blob/main/permission_prompt/security_privacy_self_review.md
Summary
In order to establish connections to devices on a
local network that do not have globally unique names,
and therefore cannot obtain TLS certificates, this
feature introduces a new option to `fetch()` to
declare a developers' intent to talk to such a device,
a new policy-controlled feature to gate each sites'
access to this capability, and new headers for the
server's preflight response to provide additional
metadata.
Blink component
Blink>SecurityFeature>CORS>PrivateNetworkAccess
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
TAG review
https://github.com/w3ctag/design-reviews/issues/751
TAG review status
Issues addressed
Chromium Trial Name
PrivateNetworkAccessPermissionPrompt
Origin Trial documentation link
https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
WebFeature UseCounter name
kPrivateNetworkAccessPermissionPrompt
Risks
Interoperability and Compatibility
/Gecko/: No signal
/WebKit/: No signal
Could you file RFPs for this?
/Web developers/: Positive
(https://github.com/WICG/private-network-access/issues/23)
/Other signals/:
Ergonomics
This new feature requires users to click on the new
permission. This may lead users to spamming on some
websites. However, this is an intentional move to
encourage the websites to provide security context.
The origin trial also aimed to measure the frequency
of users getting the permissions.
Apologies if I missed this, but is there a document
somewhere summarizing the OT findings?
Activation
No. This feature attempt to bring developers an easier
way to restrict Private Network Access with secure
context.
Security
This is a security positive feature.
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?
None
Debuggability
Relevant information (client and resource IP address
space) is already piped into the DevTools network
panel. We’ll likely also represent the permission
state in the settings pages.
Will this feature be supported on all six
Blink platforms (Windows, Mac, Linux,
ChromeOS, Android, and Android WebView)?
No
Mac, Windows, Linux, Chrome OS, Fuchsia, Android,
WebLayer. Not Android WebView because of the absence
of deprecation trial integration (though that may be
changing soon, see https://crbug.com/1308425). Not iOS
because this requires changes in Blink and the network
service, neither of which are used on iOS.
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
https://wpt.fyi/results/fetch/private-network-access/mixed-content-fetch.tentative.https.window.html?label=master&label=experimental&aligned&q=private-network-access
<https://wpt.fyi/results/fetch/private-network-access/mixed-content-fetch.tentative.https.window.html?label=master&label=experimental&aligned&q=private-network-access>
Flag name on chrome://flags
Finch feature name
None
Non-finch justification
None
Does this mean the feature is not flag guarded, or is this
just an omission in chromestatus?
Requires code in //chrome?
True
Tracking bug
https://crbug.com/1338439
Sample links
https://drive.google.com/file/d/1pnyQfIsXdtJnZoCBVSt4xim0yXjZ0Aqc/view?usp=sharing
Estimated milestones
Shipping on desktop 123
OriginTrial desktop last 122
OriginTrial desktop first 120
DevTrial on desktop 120
Anticipated spec changes
Open questions about a feature may be a source of
future web compat or interop issues. Please list open
issues (e.g. links to known github issues in the
project for the feature specification) whose
resolution may introduce web compat/interop risk
(e.g., changing to naming or structure of the API in a
non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5954091755241472
Links to previous Intent discussions
Intent to prototype:
https://groups.google.com/a/chromium.org/g/blink-dev/c/6MczoSFGiHo/m/IigYuhu7AwAJ
Intent
to Experiment:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU_ZS1ibT9H7e5UmoUF2OfCUq5ocsDHaCoJ2rShmPmAejQ%40mail.gmail.com
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
--
Yifan
--
You received this message because you are subscribed
to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU9p9dAurzeZfAEmFhBRmwz42_tJpnCVf_nmHox5zwzY0A%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU9p9dAurzeZfAEmFhBRmwz42_tJpnCVf_nmHox5zwzY0A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/de68b1f3-6ee6-4d3d-985e-d0ed8ac1dd87n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/de68b1f3-6ee6-4d3d-985e-d0ed8ac1dd87n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKvXbbkZ-M%2BD%2BgspKuJDJXav93Z6t_fF7h9oq_2ZEc7eg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSKvXbbkZ-M%2BD%2BgspKuJDJXav93Z6t_fF7h9oq_2ZEc7eg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
