Unless somebody else is working on this already, I'm starting to look into/work on making it possible to specify origin trial tokens in HTTP headers, since this is something I'll need for both foreign fetch and the related link rel=serviceworker support.I think there are three parts to implementing this:1) code in blink to make sure tokens in http headers are treated as if there were <meta> elements in the document2) code in blink to add support for tokens in shared workers/service workers (and dedicated workers? although that might be separate if the conclusion was for those to inherit their tokens from the document that owns them).3) API accessible from the browser process to validate tokensI'm primarily interested in 2 and 3, since that's what will be needed for the features I'm working on, but it would probably be confusing if 1 isn't also implemented (and that part should be pretty easy anyway).
For 3 though, why does all the origin trial token related code currently live in content/renderer? I would have at least expected this to be in content/child, but for almost all of this code I don't understand why it isn't just in content/common instead. Any objections to just moving the code there?
Some related questions:- name of the header? Probably something like X-Origin-Trials would work for now?
- when the header is supported it probably makes sense to change the meta tag to require <meta http-equiv=x-origin-trials" (or just "origin-trials") rather than <meta name="origin-trials" as it is now?
Marijn,As discussed on the Intent to Ship thread, there is an existing issue for adding support for an HTTP header (crbug.com/582045). No one is working on that yet, so it'd be great if you can get started. I am going to work on changing the meta tag to use http-equiv in M50 (see crbug.com/590349).
Separately, you mentioned the design doc for installing service workers. I did review earlier, but didn't really have any comments at the time. I'll need to dig in deeper, to make sure I'm understanding the relevant code. The problem of code duplication is relevant to the EF as well. Both for the HTTP header vs meta tag, and for checks in the browser vs in Blink. If you can solve that duplication that would certainly help.
Other comments inline below.Thanks,Jason
On Thursday, February 25, 2016 at 4:30:05 PM UTC-5, Marijn Kruisselbrink wrote:Unless somebody else is working on this already, I'm starting to look into/work on making it possible to specify origin trial tokens in HTTP headers, since this is something I'll need for both foreign fetch and the related link rel=serviceworker support.I think there are three parts to implementing this:1) code in blink to make sure tokens in http headers are treated as if there were <meta> elements in the document2) code in blink to add support for tokens in shared workers/service workers (and dedicated workers? although that might be separate if the conclusion was for those to inherit their tokens from the document that owns them).3) API accessible from the browser process to validate tokensI'm primarily interested in 2 and 3, since that's what will be needed for the features I'm working on, but it would probably be confusing if 1 isn't also implemented (and that part should be pretty easy anyway).Hopefully it is easy to implement :-). I think it might be more complicated, because we want to change how meta tags are currently handled. As in crbug.com/588151, the current implementation unintentionally allows for meta tags injected via JavaScript. We need to fix that, and initial thinking was to move the extraction of meta tags to the preload scanner (or somewhere earlier in the page life cycle).
For 3 though, why does all the origin trial token related code currently live in content/renderer? I would have at least expected this to be in content/child, but for almost all of this code I don't understand why it isn't just in content/common instead. Any objections to just moving the code there?Ian could add more details, if needed. As I recall, at least some of the trial token code was in content/common. But, there were some layering violations, and reviewer feedback that asked for it to be moved to content/renderer, until there was actually code using trial tokens outside of the renderer.
Some related questions:- name of the header? Probably something like X-Origin-Trials would work for now?- when the header is supported it probably makes sense to change the meta tag to require <meta http-equiv=x-origin-trials" (or just "origin-trials") rather than <meta name="origin-trials" as it is now?As above, I'm working on changing to http-equiv. I'm not sure about best practices for naming extension meta tags with a corresponding HTTP header. As suggested by Phistuck in the other thread, ideally the meta tag format would be stable starting with M50. I'm fine with X-Origin-Trials for the header, but if that implies using "x-origin-trials" for the meta tag, it would be good to sort that out now.
On Fri, Feb 26, 2016 at 3:53 PM, Jason Chase <cha...@chromium.org> wrote:Marijn,As discussed on the Intent to Ship thread, there is an existing issue for adding support for an HTTP header (crbug.com/582045). No one is working on that yet, so it'd be great if you can get started. I am going to work on changing the meta tag to use http-equiv in M50 (see crbug.com/590349).Sounds good.Separately, you mentioned the design doc for installing service workers. I did review earlier, but didn't really have any comments at the time. I'll need to dig in deeper, to make sure I'm understanding the relevant code. The problem of code duplication is relevant to the EF as well. Both for the HTTP header vs meta tag, and for checks in the browser vs in Blink. If you can solve that duplication that would certainly help.I don't think there really is much of a risk of code duplication with regards to the EF. The actual token validation code can just move to content/common. Extracting tokens from various places is all pretty straightforward as well, since these will just be comma-separated lists, both in the header and in the meta tag. On the renderer side there are APIs to check if an experiment is enabled in an ExecutionContext, on the browser side I would at least want an API to check if an experiment is enabled in a net::URLRequest. But both those APIs will just delegate to the same "is this token valid for this experiment on this origin" API that already mostly exists.
Other comments inline below.Thanks,Jason
On Thursday, February 25, 2016 at 4:30:05 PM UTC-5, Marijn Kruisselbrink wrote:Unless somebody else is working on this already, I'm starting to look into/work on making it possible to specify origin trial tokens in HTTP headers, since this is something I'll need for both foreign fetch and the related link rel=serviceworker support.I think there are three parts to implementing this:1) code in blink to make sure tokens in http headers are treated as if there were <meta> elements in the document2) code in blink to add support for tokens in shared workers/service workers (and dedicated workers? although that might be separate if the conclusion was for those to inherit their tokens from the document that owns them).3) API accessible from the browser process to validate tokensI'm primarily interested in 2 and 3, since that's what will be needed for the features I'm working on, but it would probably be confusing if 1 isn't also implemented (and that part should be pretty easy anyway).Hopefully it is easy to implement :-). I think it might be more complicated, because we want to change how meta tags are currently handled. As in crbug.com/588151, the current implementation unintentionally allows for meta tags injected via JavaScript. We need to fix that, and initial thinking was to move the extraction of meta tags to the preload scanner (or somewhere earlier in the page life cycle).It actually seems like it is less complicated because of those planned changes? If you're changing how meta tags are handled, adding header support on top should really be rather trivial. Presumably you'll somehow store a list of trial tokens in the Document (or maybe more generally ExecutionContext?) at which point to support headers all that would be needed is to add those tokens to that same list.
For 3 though, why does all the origin trial token related code currently live in content/renderer? I would have at least expected this to be in content/child, but for almost all of this code I don't understand why it isn't just in content/common instead. Any objections to just moving the code there?Ian could add more details, if needed. As I recall, at least some of the trial token code was in content/common. But, there were some layering violations, and reviewer feedback that asked for it to be moved to content/renderer, until there was actually code using trial tokens outside of the renderer.Hmm, okay. Sounds like there should be no problems then to move code content/common where applicable.Some related questions:- name of the header? Probably something like X-Origin-Trials would work for now?- when the header is supported it probably makes sense to change the meta tag to require <meta http-equiv=x-origin-trials" (or just "origin-trials") rather than <meta name="origin-trials" as it is now?As above, I'm working on changing to http-equiv. I'm not sure about best practices for naming extension meta tags with a corresponding HTTP header. As suggested by Phistuck in the other thread, ideally the meta tag format would be stable starting with M50. I'm fine with X-Origin-Trials for the header, but if that implies using "x-origin-trials" for the meta tag, it would be good to sort that out now.Actually looking at this more, X-Origin-Trials would be bad, we should just use Origin-Trials (nor sure about plural/singular though) for the header and tag. See also https://tools.ietf.org/html/rfc7231#section-8.3 for the process for defining new http headers, and the explicit comment not to use "X-" for internet exposed headers. To register the header in the IANA registry we'd of course need to come up with an actual spec (although for a "provisional" registration it seems that spec can just be any document on the internet. For a "permanent" registration that spec would need to be more formal afaict).
On Friday, February 26, 2016 at 7:20:15 PM UTC-5, Marijn Kruisselbrink wrote:On Fri, Feb 26, 2016 at 3:53 PM, Jason Chase <cha...@chromium.org> wrote:Marijn,As discussed on the Intent to Ship thread, there is an existing issue for adding support for an HTTP header (crbug.com/582045). No one is working on that yet, so it'd be great if you can get started. I am going to work on changing the meta tag to use http-equiv in M50 (see crbug.com/590349).Sounds good.Separately, you mentioned the design doc for installing service workers. I did review earlier, but didn't really have any comments at the time. I'll need to dig in deeper, to make sure I'm understanding the relevant code. The problem of code duplication is relevant to the EF as well. Both for the HTTP header vs meta tag, and for checks in the browser vs in Blink. If you can solve that duplication that would certainly help.I don't think there really is much of a risk of code duplication with regards to the EF. The actual token validation code can just move to content/common. Extracting tokens from various places is all pretty straightforward as well, since these will just be comma-separated lists, both in the header and in the meta tag. On the renderer side there are APIs to check if an experiment is enabled in an ExecutionContext, on the browser side I would at least want an API to check if an experiment is enabled in a net::URLRequest. But both those APIs will just delegate to the same "is this token valid for this experiment on this origin" API that already mostly exists.Sounds like a good plan. Minor quibble is that the design/implementation is currently one token per meta tag, with multiple meta tags used to specify more than one token.
Other comments inline below.Thanks,Jason
On Thursday, February 25, 2016 at 4:30:05 PM UTC-5, Marijn Kruisselbrink wrote:Unless somebody else is working on this already, I'm starting to look into/work on making it possible to specify origin trial tokens in HTTP headers, since this is something I'll need for both foreign fetch and the related link rel=serviceworker support.I think there are three parts to implementing this:1) code in blink to make sure tokens in http headers are treated as if there were <meta> elements in the document2) code in blink to add support for tokens in shared workers/service workers (and dedicated workers? although that might be separate if the conclusion was for those to inherit their tokens from the document that owns them).3) API accessible from the browser process to validate tokensI'm primarily interested in 2 and 3, since that's what will be needed for the features I'm working on, but it would probably be confusing if 1 isn't also implemented (and that part should be pretty easy anyway).Hopefully it is easy to implement :-). I think it might be more complicated, because we want to change how meta tags are currently handled. As in crbug.com/588151, the current implementation unintentionally allows for meta tags injected via JavaScript. We need to fix that, and initial thinking was to move the extraction of meta tags to the preload scanner (or somewhere earlier in the page life cycle).It actually seems like it is less complicated because of those planned changes? If you're changing how meta tags are handled, adding header support on top should really be rather trivial. Presumably you'll somehow store a list of trial tokens in the Document (or maybe more generally ExecutionContext?) at which point to support headers all that would be needed is to add those tokens to that same list.I haven't really thought through what the implementation will look like. But your idea sounds reasonable, so maybe it will be relatively simple. I guess I was defaulting to unknown = hard.For 3 though, why does all the origin trial token related code currently live in content/renderer? I would have at least expected this to be in content/child, but for almost all of this code I don't understand why it isn't just in content/common instead. Any objections to just moving the code there?Ian could add more details, if needed. As I recall, at least some of the trial token code was in content/common. But, there were some layering violations, and reviewer feedback that asked for it to be moved to content/renderer, until there was actually code using trial tokens outside of the renderer.Hmm, okay. Sounds like there should be no problems then to move code content/common where applicable.Some related questions:- name of the header? Probably something like X-Origin-Trials would work for now?- when the header is supported it probably makes sense to change the meta tag to require <meta http-equiv=x-origin-trials" (or just "origin-trials") rather than <meta name="origin-trials" as it is now?As above, I'm working on changing to http-equiv. I'm not sure about best practices for naming extension meta tags with a corresponding HTTP header. As suggested by Phistuck in the other thread, ideally the meta tag format would be stable starting with M50. I'm fine with X-Origin-Trials for the header, but if that implies using "x-origin-trials" for the meta tag, it would be good to sort that out now.Actually looking at this more, X-Origin-Trials would be bad, we should just use Origin-Trials (nor sure about plural/singular though) for the header and tag. See also https://tools.ietf.org/html/rfc7231#section-8.3 for the process for defining new http headers, and the explicit comment not to use "X-" for internet exposed headers. To register the header in the IANA registry we'd of course need to come up with an actual spec (although for a "provisional" registration it seems that spec can just be any document on the internet. For a "permanent" registration that spec would need to be more formal afaict).It appears that registering the header is the easy part :-). The HTML spec defines http-equiv as an enumerated attribute (https://www.w3.org/TR/html5/document-metadata.html#pragma-directives). I'm taking that to mean we shouldn't simply add a new http-equiv value. For 100% correctness, it seems we would have to make changes to the HTML spec. Given we're just launching the MVP, I think it's premature to start down that path. We should certainly get an understanding of what would be involved from a standards perspective. In the meantime, anyone gone through this, or similar, before?
Pending the outcome of the standardization issue, I think we should likely leave it as is for M50, with <meta name="origin-trials">. Unless we have a firm answer on future
standardization, we could end up making changes in the future anyway.
--
You received this message because you are subscribed to the Google Groups "experimentation-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to experimentation...@chromium.org.
To post to this group, send email to experimen...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/experimentation-dev/d3908b78-f8c1-4d68-bfde-bd745496eee5%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to experimentation-dev+unsub...@chromium.org.
To post to this group, send email to experimentation-dev@chromium.org.
Jason
Thanks,
To unsubscribe from this group and stop receiving emails from it, send an email to experimentation...@chromium.org.
To post to this group, send email to experimen...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/experimentation-dev/d3908b78-f8c1-4d68-bfde-bd745496eee5%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "experimentation-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/experimentation-dev/3b6d8b58-ab46-4ed5-88b9-881160f54558%40chromium.org.To unsubscribe from this group and stop receiving emails from it, send an email to experimentation...@chromium.org.
To post to this group, send email to experimen...@chromium.org.
Jason
Thanks,
To unsubscribe from this group and stop receiving emails from it, send an email to experimentation-dev+unsub...@chromium.org.
To post to this group, send email to experimentation-dev@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/experimentation-dev/d3908b78-f8c1-4d68-bfde-bd745496eee5%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "experimentation-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to experimentation-dev+unsub...@chromium.org.
To post to this group, send email to experimentation-dev@chromium.org.