Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2024-04-16 Thread Patrick Meenan
FWIW, this is already possible in an extension using the devtools protocol support. Fetch.continueRequest lets you rewrite outbound requests to go to different destinations, modify headers, etc. It is what

Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2024-04-16 Thread David Benjamin
Keep in mind also that cross-origin and same-origin requests generally behave very differently on the web, not just in this specific way. So if you're redirecting a portion of your origin in your dev environment, other things will also behave differently. I recognize that's not how your current

Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2024-04-16 Thread Mike Taylor
It's possible that DevTools could support this use case, so I'd encourage you to a feature request at crbug.com/new. Thx On 4/16/24 6:29 AM, Tom Komarnicki wrote: Hi there, Here's the scenario I'm dealing with: I'm a backend developer working on a system with two distinct parts that

Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2024-04-16 Thread Tom Komarnicki
Hi there, Here's the scenario I'm dealing with: I'm a backend developer working on a system with two distinct parts that typically don't intersect during development. The frontend is hosted online, and that's the only place I can access it. When something goes wrong on the backend I'm

Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2024-04-15 Thread Yoav Weiss (@Shopify)
On Mon, Apr 15, 2024 at 2:18 PM Tom Komarnicki wrote: > Hey, > > Sorry for necro'ing this thread, I'm aware that this has been on the > "done" pile for a while - and maybe it should've been brought up earlier, > but how do you "disable" this feature ? It's making the BE dev exhaustingly >

Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2024-04-15 Thread Tom Komarnicki
Hey, Sorry for necro'ing this thread, I'm aware that this has been on the "done" pile for a while - and maybe it should've been brought up earlier, but how do you "disable" this feature ? It's making the BE dev exhaustingly painful, not being able to intercept requests and re-forward them to

Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-09-05 Thread Chris Harrelson
LGTM3 On Tue, Sep 5, 2023 at 8:27 AM Mike Taylor wrote: > LGTM2 > On 9/3/23 8:12 PM, Yoav Weiss wrote: > > LGTM1 > > > > On Mon, Sep 4, 2023 at 2:24 AM Kenichi Ishibashi > wrote: > >> Hi, sorry for the long delay. >> >> The feature page >>

Re: [blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-09-05 Thread Mike Taylor
LGTM2 On 9/3/23 8:12 PM, Yoav Weiss wrote: LGTM1 On Mon, Sep 4, 2023 at 2:24 AM Kenichi Ishibashi wrote: Hi, sorry for the long delay. The feature page now shows sites that use Authorization header for

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-09-03 Thread Yoav Weiss
LGTM1 On Mon, Sep 4, 2023 at 2:24 AM Kenichi Ishibashi wrote: > Hi, sorry for the long delay. > > The feature page > now > shows sites that use Authorization header for cross-origin redirects. I > randomly picked some of them

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-09-03 Thread Kenichi Ishibashi
Hi, sorry for the long delay. The feature page now shows sites that use Authorization header for cross-origin redirects. I randomly picked some of them and examined to see if they could work when Chrome removes Authorization

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-08-31 Thread Ioan-Cristian Linte
Any updates on this? Other browser have already made the change for some time so it's surprising that Chrome is so worried about breaking change. The Authorization propagating in cross origin redirects is causing a performance issue for us. Our server redirects to AWS S3 with pre-signed url

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-06-28 Thread Yoav Weiss
Friendly ping! :) Any news on UKM data here? On Wednesday, April 5, 2023 at 10:53:41 AM UTC+2 Yoav Weiss wrote: > Sounds great, thanks!! :) > > On Wed, Apr 5, 2023 at 10:44 AM Kenichi Ishibashi > wrote: > >> Hi Yoav, >> >> Sorry I haven't sent an update in this thread. (1) sounds reasonable. I

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-04-05 Thread Yoav Weiss
Sounds great, thanks!! :) On Wed, Apr 5, 2023 at 10:44 AM Kenichi Ishibashi wrote: > Hi Yoav, > > Sorry I haven't sent an update in this thread. (1) sounds reasonable. I > added the usercounters to UKM a few weeks ago and I'm waiting for data. I > will report back after manual inspections are

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-04-05 Thread Kenichi Ishibashi
Hi Yoav, Sorry I haven't sent an update in this thread. (1) sounds reasonable. I added the usercounters to UKM a few weeks ago and I'm waiting for data. I will report back after manual inspections are done. Thanks, On Wed, Apr 5, 2023 at 5:14 PM Yoav Weiss wrote: > Friendly ping on the above

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-04-05 Thread Yoav Weiss
Friendly ping on the above :) Does (1) sound reasonable from your perspective? On Wed, Mar 15, 2023 at 7:16 PM Yoav Weiss wrote: > The way I see this, given that the usecounter is an order of magnitude > higher than what we can consider trivial, we have 3 options: > 1) Add the usecounters to

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-15 Thread Yoav Weiss
The way I see this, given that the usecounter is an order of magnitude higher than what we can consider trivial, we have 3 options: 1) Add the usecounters to UKM

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-14 Thread Patrick Meenan
Do we expect the Authorization header to be something that the HTTP Archive triggers in a way that the feature will trigger? Since they are all unauthenticated single page loads, it feels like it's unlikely to be something that we hit. On Tue, Mar 14, 2023 at 4:37 PM Patrick Meenan wrote: >

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-14 Thread Patrick Meenan
Looks like the feature flag was added Feb 16 which looks like it should have made the 112 branch point . If we hold the April crawl back a couple of days and start it on the 4th after

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-14 Thread 'Rick Viscomi' via blink-dev
Am I reading the feature page correctly that it'll land in stable version 113? If so, HTTP Archive wouldn't pick that up until the May crawl. cc @Patrick Meenan to keep me honest On Mon, Mar 13, 2023 at 12:19 AM Yoav Weiss wrote: > It's

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-12 Thread Yoav Weiss
It's possible that we need to wait for the next HA run to get actual examples. +Rick Viscomi would know.. On Mon, Mar 13, 2023 at 12:28 AM Kenichi Ishibashi wrote: > Thank you Yoav for the suggestion. I couldn't find sample URLs from the > HTTPArchive data (feature usage >

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-12 Thread Kenichi Ishibashi
Thank you Yoav for the suggestion. I couldn't find sample URLs from the HTTPArchive data (feature usage ). I'll add a feature flag to prepare for reverting this change if breakage is problematic. On Fri, Mar 10, 2023 at 7:06 PM

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-10 Thread Yoav Weiss
One option to tighten the potential for breakage would be to e.g. sample 10 URLs that are hitting that usecounter (e.g. from the HTTPArchive data), and test them manually to see how many of them would break once this change is applied. Based on the number you'd get, we can estimate the magnitude

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-03-09 Thread Kenichi Ishibashi
Use counter reports 0.022%. My guess is that most usage happens accidentally but we are not sure. API owners, should we do a reverse OT? On Fri, Feb 17, 2023 at 9:38 AM Kenichi Ishibashi wrote: > Quick update, we added a use counter to see how often this could happen. > I'll get back once we

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-02-16 Thread Kenichi Ishibashi
Quick update, we added a use counter to see how often this could happen. I'll get back once we have data. On Wed, Feb 8, 2023 at 11:51 PM Yoav Weiss wrote: > Any use counters on how often this happens? > > On Thursday, February 2, 2023 at 8:58:35 AM UTC+1 Kenichi Ishibashi wrote: > Contact

[blink-dev] Re: Intent to Ship: Remove Authorization header upon cross-origin redirect

2023-02-08 Thread Yoav Weiss
Any use counters on how often this happens? On Thursday, February 2, 2023 at 8:58:35 AM UTC+1 Kenichi Ishibashi wrote: Contact emailsba...@chromium.org Specificationhttps://fetch.spec.whatwg.org/#http-redirect-fetch Summary Remove Authorization header on cross origin redirects to scope a