Re: Temporarily unship sendBeacon() support for non-simple Content-Type

[Takeshi Yoshino]

Corrected address.

On Fri, Apr 28, 2017 at 6:17 PM, Takeshi Yoshino <tyos...@chromium.org> wrote:

Sending again from chromium.org

On Fri, Apr 28, 2017 at 6:16 PM, Takeshi Yoshino <tyos...@google.com> wrote:

Hi Blink API owners,

We briefly discussed this with foolip@ in person when he was in Tokyo and he suggested to reach out here. Sorry for delay.

I summarized the current situation into a doc. Can I get your help in deciding how to deal with it?

Intent to temporarily unship sendBeacon with non-CORS-safelisted Content-Type

Thank you

 

[Jochen Eisinger]

IMO adhering to the same origin policy is of very high value, so I'm supporting unshipping this.

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To post to this group, send email to blink-api-ow...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAH9hSJZzQTBpU4ZvTO3iwmXHLoH1yZyYku8YF43RDH0Nc5NnDw%40mail.gmail.com.

[Ilya Grigorik]

sendBeacon() (in the Beacon API spec) implementation in Chrome has a security issue which is tracked here. Since we think we don’t have reasonable immediate fix for it, we’re considering temporarily unshipping it until we finish fixing the underlying architecture.

^ reads as we're unshipping sendBeacon entirely. Later in the comments it's specifically talking about non-simple Content-Types. Which one are we talking about? Hopefully not the former.. :) 

On Fri, Apr 28, 2017 at 2:24 AM, Jochen Eisinger <joc...@chromium.org> wrote:

IMO adhering to the same origin policy is of very high value, so I'm supporting unshipping this.

On Fri, Apr 28, 2017 at 11:19 AM Takeshi Yoshino <tyos...@chromium.org> wrote:

Corrected address.

On Fri, Apr 28, 2017 at 6:17 PM, Takeshi Yoshino <tyos...@chromium.org> wrote:

Sending again from chromium.org

On Fri, Apr 28, 2017 at 6:16 PM, Takeshi Yoshino <tyos...@google.com> wrote:

Hi Blink API owners,

We briefly discussed this with foolip@ in person when he was in Tokyo and he suggested to reach out here. Sorry for delay.

I summarized the current situation into a doc. Can I get your help in deciding how to deal with it?

Intent to temporarily unship sendBeacon with non-CORS-safelisted Content-Type

Thank you

 

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
To post to this group, send email to blink-api-owners-discuss@chromium.org.

[Joe Medley]

Does this have a tracking but? I'd like to include this in a deprecations/removals post, but I need a way to track it for correct timing.

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195

If an API's not documented it doesn't exist.

On Fri, Apr 28, 2017 at 9:21 AM, 'Ilya Grigorik' via blink-api-owners-discuss <blink-api-ow...@chromium.org> wrote:

sendBeacon() (in the Beacon API spec) implementation in Chrome has a security issue which is tracked here. Since we think we don’t have reasonable immediate fix for it, we’re considering temporarily unshipping it until we finish fixing the underlying architecture.

^ reads as we're unshipping sendBeacon entirely. Later in the comments it's specifically talking about non-simple Content-Types. Which one are we talking about? Hopefully not the former.. :) 

On Fri, Apr 28, 2017 at 2:24 AM, Jochen Eisinger <joc...@chromium.org> wrote:

IMO adhering to the same origin policy is of very high value, so I'm supporting unshipping this.

On Fri, Apr 28, 2017 at 11:19 AM Takeshi Yoshino <tyos...@chromium.org> wrote:

Corrected address.

On Fri, Apr 28, 2017 at 6:17 PM, Takeshi Yoshino <tyos...@chromium.org> wrote:

Sending again from chromium.org

On Fri, Apr 28, 2017 at 6:16 PM, Takeshi Yoshino <tyos...@google.com> wrote:

Hi Blink API owners,

We briefly discussed this with foolip@ in person when he was in Tokyo and he suggested to reach out here. Sorry for delay.

I summarized the current situation into a doc. Can I get your help in deciding how to deal with it?

Intent to temporarily unship sendBeacon with non-CORS-safelisted Content-Type

Thank you

 

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsubscr...@chromium.org.

To post to this group, send email to blink-api-owners-discuss@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAH9hSJZzQTBpU4ZvTO3iwmXHLoH1yZyYku8YF43RDH0Nc5NnDw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
To post to this group, send email to blink-api-owners-discuss@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CADXXVKpihvfitkt5%3DVUYD4T_S0RH_6xoxaoTmXo2oCy%3Di6G6Lg%40mail.gmail.com.

[Takeshi Yoshino]

On Sat, Apr 29, 2017 at 1:50 AM, Joe Medley <jme...@google.com> wrote:

Does this have a tracking but? I'd like to include this in a deprecations/removals post, but I need a way to track it for correct timing.

It's http://crbug.com/490015.

We already have this under Finch control as Mike suggested. So, removal can happen not in sync with release if appropriate.

https://cs.chromium.org/chromium/src/content/public/common/content_features.cc?l=303 (kSendBeaconThrowForBlobWithNonSimpleType)

 

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195

If an API's not documented it doesn't exist.

On Fri, Apr 28, 2017 at 9:21 AM, 'Ilya Grigorik' via blink-api-owners-discuss <blink-api-owners-discuss@chromium.org> wrote:

sendBeacon() (in the Beacon API spec) implementation in Chrome has a security issue which is tracked here. Since we think we don’t have reasonable immediate fix for it, we’re considering temporarily unshipping it until we finish fixing the underlying architecture.

^ reads as we're unshipping sendBeacon entirely. Later in the comments it's specifically talking about non-simple Content-Types. Which one are we talking about? Hopefully not the former.. :) 

Sorry. I've fixed the main text to clarify this is only about calls with non-CORS-safelisted Content-Type.

 

On Fri, Apr 28, 2017 at 2:24 AM, Jochen Eisinger <joc...@chromium.org> wrote:

IMO adhering to the same origin policy is of very high value, so I'm supporting unshipping this.

On Fri, Apr 28, 2017 at 11:19 AM Takeshi Yoshino <tyos...@chromium.org> wrote:

Corrected address.

On Fri, Apr 28, 2017 at 6:17 PM, Takeshi Yoshino <tyos...@chromium.org> wrote:

Sending again from chromium.org

On Fri, Apr 28, 2017 at 6:16 PM, Takeshi Yoshino <tyos...@google.com> wrote:

Hi Blink API owners,

We briefly discussed this with foolip@ in person when he was in Tokyo and he suggested to reach out here. Sorry for delay.

I summarized the current situation into a doc. Can I get your help in deciding how to deal with it?

Intent to temporarily unship sendBeacon with non-CORS-safelisted Content-Type

Thank you

 

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsubscr...@chromium.org.
To post to this group, send email to blink-api-owners-discuss@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAH9hSJZzQTBpU4ZvTO3iwmXHLoH1yZyYku8YF43RDH0Nc5NnDw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsubscr...@chromium.org.
To post to this group, send email to blink-api-owners-discuss@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CADXXVKpihvfitkt5%3DVUYD4T_S0RH_6xoxaoTmXo2oCy%3Di6G6Lg%40mail.gmail.com.

[Ilya Grigorik]

On Mon, May 1, 2017 at 3:29 AM, Takeshi Yoshino <tyos...@chromium.org> wrote:

On Fri, Apr 28, 2017 at 9:21 AM, 'Ilya Grigorik' via blink-api-owners-discuss <blink-api-owners-discuss@chromium.org> wrote:

sendBeacon() (in the Beacon API spec) implementation in Chrome has a security issue which is tracked here. Since we think we don’t have reasonable immediate fix for it, we’re considering temporarily unshipping it until we finish fixing the underlying architecture.

^ reads as we're unshipping sendBeacon entirely. Later in the comments it's specifically talking about non-simple Content-Types. Which one are we talking about? Hopefully not the former.. :) 

Sorry. I've fixed the main text to clarify this is only about calls with non-CORS-safelisted Content-Type.

Phew -- ok, that sounds good. Thanks Takeshi.

[Takeshi Yoshino]

Thanks all for review.

I'll proceed to disable it on trunk to make sure it happen for M60.

I'll also work on launch review to consider merging to M59 and Finch based release to stable.

[Mike West]

1. Yes, please disable this in M60.

2. This feels a little ad hoc, and as Joe noted, it would be good to trigger all the usual reviews and notifications that the usual process triggers. So, I think it's worth turning this into a "real" intent to deprecate `no-cors`-style requests for non-simple `Content-Type`, and sending it out to blink-dev@. When you're ready to ship a preflight-enabled version, you can do so via the same process.

-mike

[Takeshi Yoshino]

On Wed, May 10, 2017 at 6:03 PM, Mike West <mk...@chromium.org> wrote:

1. Yes, please disable this in M60.

2. This feels a little ad hoc, and as Joe noted, it would be good to trigger all the usual reviews and notifications that the usual process triggers. So, I think it's worth turning this into a "real" intent to deprecate `no-cors`-style requests for non-simple `Content-Type`, and sending it out to blink-dev@. When you're ready to ship a preflight-enabled version, you can do so via the same process.

Yes. I planned. Will do.

 

--
You received this message because you are subscribed to the Google Groups "blink-network-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-network-dev+unsubscribe@chromium.org.
To post to this group, send email to blink-ne...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-network-dev/CAKXHy%3Df-FSnbctXiQRytL7EDmW7o0GDM2afQwAa6R4r16BGhEw%40mail.gmail.com.