Intent to Experiment: Feature Policy Reporting
Ian Clelland
Contact emails
Spec
Spec: https://w3c.github.io/webappsec-feature-policy/#reporting
Explainer for Report-only mode: https://github.com/w3c/webappsec-feature-policy/blob/master/reporting.md#can-i-just-trigger-reports-without-actually-enforcing-the-policy
Summary
This change integrates Feature Policy with the Reporting API. Developers can use either the Report-To HTTP header or the ReportingObserver interface to see violations of policies on their own pages. With Feature-Policy-Report-Only, developers can use reporting to see the potential effect of a new policy before actually enforcing it.
Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/d/msg/blink-dev/5-3woY4Y1Qg/xHDTmUFAEAAJGoals for experimentation
We would like to ensure that the violation reports are useful to developers, and verify that report-only mode can be used to test out policies before actually putting them in place. There are a number of limits in place for privacy reasons (we've removed the ability to gather aggregate reports from subframes, and ensured that reporting in general cannot be imposed on subframes) and would like to validate that the API is still useful, both to developers and to analytics providers. Also, the report-only syntax has changed since the initial explainer, and we'd like to verify that the new header makes sense.
Experimental timeline
Starting with M73, and continuing until Mid-July 2019, before M76 reaches stable.
Any risks when the experiment finishes?
When this experiment comes to an end, policy violations will stop being reported. Developers who are not aware that the experiment was ending may misconstrue this as a sudden drop in actual violations. The user experience should be unaffected, as reporting is generally out-of-band.
Ongoing technical constraints
None
Debuggability
This is as debuggable as the Reporting API generally. Chrome includes a network trace gatherer, which can be used with an external trace viewer to debug reporting issues. We're not looking at adding any specific DevTools requirements for FP reporitng.
Will this feature be supported on all five Blink platforms supported by Origin Trials (Windows, Mac, Linux, Chrome OS, and Android)?
Yes.
Link to entry on the feature dashboard
Yoav Weiss
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK_TSXL%3DQKigBnJypbVz6040yqNkAGT56B3VmEzVgTmPqV6AgQ%40mail.gmail.com.