--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK_TSXJP7jEXah_e8isRP6H%3DwyJhff%2BCgyWhn9NpRmO0VO2%3Dww%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2B-LeH9cPkAUuNE6UenSMCX_TJaad29qi8E4MrLEzRRHS5ZaXA%40mail.gmail.com.
Interoperability and Compatibity Risks:
This deprecation improves interoperability, by aligning with the specification and with the implementation in Gecko.
Hi, can you please indicate what's the status / plan for WebKit ?
-- Frédéric Wang
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3bece5be-d94c-8054-e5b9-5c164517f9ba%40igalia.com.
0.02% of page visits affected is quite a bit higher than we would quickly approve. What will the effect be in general for those using the comma if its no longer supported. Will it be noticed? Will it be fatal?
Maybe you got an idea when looking at those sites you analyzed?
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK_TSXJ50UcRHV492qa8bvsYnmtb56D%2BGhV6G6WJv8PmMaEmaQ%40mail.gmail.com.
0.02% is an upper bound; unfortunately we don't currently distinguish between a comma created by concatenating HTTP headers and a comma in the text of an iframe allow attribute. The deprecation CL does add such a use counter. (WIP at https://chromium-review.googlesource.com/c/chromium/src/+/2313298)
In general, the attribute is used to grant features to cross-origin subframes which would normally be blocked. If we stop accepting the comma as a separator, then those frames will no longer be able to use those features, or to request permission to use those features. They will act like any other third-party embedded frame, with no extra privileges. For a feature like fullscreen, the embedded site will see that window.fullscreenEnabled is always false. For permission-based features, they will see that permission is always denied when requested (exactly as if the user always declined, although this will be invisible to the user).Looking through HTTPArchive, out of the 225 pages which include a static allow attribute with a comma, we see this distribution of features:fullscreen: 181 mentionsautoplay: 97accelerometer: 79gyroscope: 76geolocation: 64vr: 54encrypted-media: 34microphone: 18camera: 17picture-in-picture: 15payment: 6midi: 1
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK_TSXLOh9qWcfPP%2Bw%3D9udDHf7OrFmXZJb4_eP7z3bkUy57X4w%40mail.gmail.com.
On Wed, Jul 22, 2020 at 8:58 PM Ian Clelland <icle...@chromium.org> wrote:0.02% is an upper bound; unfortunately we don't currently distinguish between a comma created by concatenating HTTP headers and a comma in the text of an iframe allow attribute. The deprecation CL does add such a use counter. (WIP at https://chromium-review.googlesource.com/c/chromium/src/+/2313298)I'd expect concatenated HTTP headers to be quite common, so it would be good to get data on the distinction between headers and attributes.
In general, the attribute is used to grant features to cross-origin subframes which would normally be blocked. If we stop accepting the comma as a separator, then those frames will no longer be able to use those features, or to request permission to use those features. They will act like any other third-party embedded frame, with no extra privileges. For a feature like fullscreen, the embedded site will see that window.fullscreenEnabled is always false. For permission-based features, they will see that permission is always denied when requested (exactly as if the user always declined, although this will be invisible to the user).Looking through HTTPArchive, out of the 225 pages which include a static allow attribute with a comma, we see this distribution of features:fullscreen: 181 mentionsautoplay: 97accelerometer: 79gyroscope: 76geolocation: 64vr: 54encrypted-media: 34microphone: 18camera: 17picture-in-picture: 15payment: 6midi: 1My rough math says that from a page perspective, 225/5M gives us ~0.0045%
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ab354a5d-1f15-498d-baa9-f21d3e40f901o%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEgLjzJtRfzRa%2BW%2Bzo7f8kJ8%3DC61RKabDLPOgFZrJ3Mq0A%40mail.gmail.com.