Contact emails
Spec
Not applicable.
Summary
Chromium bug: http://crbug.com/364716
Design doc: http://goo.gl/x1jNfu
I intend to re-implement Chrome's plugin placeholders (e.g. those that are displayed when a plugin is not available, configured for click-to-play, etc.) using user agent shadow DOM in Blink. I would like to use Blink-in-JS to express the UI logic within these placeholders. This is strictly a browser/user-facing feature; authors only write an <object> tag or equivalent, and Chrome may choose to substitute a placeholder in cases where it decides that loading a plugin is not possible or not desirable.
Motivation
WebViewPlugin is one of the last remaining uses (another being the printing code) of the Chromium’s software path for graphics, which does not use either the software or hardware compositing mode. The compositor team would like to remove this legacy code path.
Shadow DOM is the natural way to embed (encapsulated) HTML content inside another HTML document on the web platform. By being in the same document, it benefits from improvements in the normal main-frame code (compositing, accessibility, animation, input handling, etc.) automatically. It is also open to inspection by DevTools, so authors can see how the UI is built with the technologies available to them.
Compatibility Risk
Low; I'm only proposing to replace our current implementation, and there is no exposed API surface. For what it's worth, Firefox seems to use their analogue to UA shadow DOM ("bindings") to implement their plugin placeholders.
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, and Android, and Android WebView)?
Yes.
OWP launch tracking bug?
Not applicable.
Link to entry on the feature dashboard
Not applicable.
Requesting approval to ship?
No; this feature requires a Chromium-side flag to be set at present. I don't believe this requires API owner approval to ship once finished, though, since it does not affect the web platform API surface.
CSS will be loaded into (and scoped to) the shadow root from a resource made available through a private resource scheme (CL in review).
Dependent resources (e.g. images) can be loaded with relative URLs to this stylesheet.
2. What privileged capabilities does this require? (Alternatively, "what private script APIs are desired?")To match the current implementation, two unusual capabilities are required:(a) A way to continue loading a plugin, even when the user has configured it for click-to-play.- The simplest version of this would be a private (Blink-in-JS-only) "loadPlugin()" API on either the plugin element or the placeholder element. This is fairly simple and would not be web-exposed (nor would it be appropriate for it to be exposed, since it would allow authors to ignore the user's choice to not load potentially annoying or dangerous content by default).- If the UI logic is in Blink-in-JS, an alternative way of invoking C++ might be emitting a private CustomEvent. Special C++ hooks (which already exist, but nonetheless...) would be needed to prevent this event from propagating outside the placeholder; they should not be visible even to capture-phase event listeners.- If neither of these is acceptable, the DOM could be generated and controlled from C++, which would remove the need for a JS-to-C++ call here, but this complicates the code with lifetime management concerns.(b) A way to open plugin settings (chrome://plugins/) on user request (currently shown in the "disabled plugin" placeholder). chrome:// URLs are privileged, and unprivileged renderers cannot ordinarily cause navigation to them.- The current placeholders attempt to do this (though it doesn't seem to work right now) by sending ChromeViewHostMsg_OpenAboutPlugins to the browser process. A call into C++ (via a private binding or event, as above) would let Blink notify the embedder of this event; the embedder could then dispatch an IPC to the browser process similarly to today.- A more webby way of triggering navigation would be to simply have a link. Currently there are two protections against this: First, Chromium (in the renderer) configures Blink to treat the chrome:// scheme as "display isolated", so Blink cancels any navigations to that scheme. Secondly, the browser process filters URLs according to the child's security policy (and this policy causes all chrome:// URLs to be rewritten to about:blank). It might be possible to poke holes in both of these measures to allow this navigation to occur, but this would require careful security consideration.
I'm concerned about adding a private URL scheme for this. I think we should add a regular API to get the code from chrome to blink.
Dependent resources (e.g. images) can be loaded with relative URLs to this stylesheet.or encoded as data: urls
CSS will be loaded into (and scoped to) the shadow root from a resource made available through a private resource scheme (CL in review).I'm concerned about adding a private URL scheme for this. I think we should add a regular API to get the code from chrome to blink.Dependent resources (e.g. images) can be loaded with relative URLs to this stylesheet.or encoded as data: urls
2. What privileged capabilities does this require? (Alternatively, "what private script APIs are desired?")To match the current implementation, two unusual capabilities are required:(a) A way to continue loading a plugin, even when the user has configured it for click-to-play.- The simplest version of this would be a private (Blink-in-JS-only) "loadPlugin()" API on either the plugin element or the placeholder element. This is fairly simple and would not be web-exposed (nor would it be appropriate for it to be exposed, since it would allow authors to ignore the user's choice to not load potentially annoying or dangerous content by default).- If the UI logic is in Blink-in-JS, an alternative way of invoking C++ might be emitting a private CustomEvent. Special C++ hooks (which already exist, but nonetheless...) would be needed to prevent this event from propagating outside the placeholder; they should not be visible even to capture-phase event listeners.- If neither of these is acceptable, the DOM could be generated and controlled from C++, which would remove the need for a JS-to-C++ call here, but this complicates the code with lifetime management concerns.(b) A way to open plugin settings (chrome://plugins/) on user request (currently shown in the "disabled plugin" placeholder). chrome:// URLs are privileged, and unprivileged renderers cannot ordinarily cause navigation to them.- The current placeholders attempt to do this (though it doesn't seem to work right now) by sending ChromeViewHostMsg_OpenAboutPlugins to the browser process. A call into C++ (via a private binding or event, as above) would let Blink notify the embedder of this event; the embedder could then dispatch an IPC to the browser process similarly to today.- A more webby way of triggering navigation would be to simply have a link. Currently there are two protections against this: First, Chromium (in the renderer) configures Blink to treat the chrome:// scheme as "display isolated", so Blink cancels any navigations to that scheme. Secondly, the browser process filters URLs according to the child's security policy (and this policy causes all chrome:// URLs to be rewritten to about:blank). It might be possible to poke holes in both of these measures to allow this navigation to occur, but this would require careful security consideration.I'd rather avoid having any hole where a regular renderer can navigate to chrome URLs.
On Fri, Nov 21, 2014 at 5:30 PM, Jochen Eisinger <joc...@chromium.org> wrote:I'm concerned about adding a private URL scheme for this. I think we should add a regular API to get the code from chrome to blink.The advantage of a new scheme is that we can use the existing CSP/MIX-bypass mechanisms. Otherwise we'll have issues ensuring that the UI looks like it's supposed to when it's embedded on sites across the web.
2. What privileged capabilities does this require? (Alternatively, "what private script APIs are desired?")To match the current implementation, two unusual capabilities are required:(a) A way to continue loading a plugin, even when the user has configured it for click-to-play.- The simplest version of this would be a private (Blink-in-JS-only) "loadPlugin()" API on either the plugin element or the placeholder element. This is fairly simple and would not be web-exposed (nor would it be appropriate for it to be exposed, since it would allow authors to ignore the user's choice to not load potentially annoying or dangerous content by default).- If the UI logic is in Blink-in-JS, an alternative way of invoking C++ might be emitting a private CustomEvent. Special C++ hooks (which already exist, but nonetheless...) would be needed to prevent this event from propagating outside the placeholder; they should not be visible even to capture-phase event listeners.- If neither of these is acceptable, the DOM could be generated and controlled from C++, which would remove the need for a JS-to-C++ call here, but this complicates the code with lifetime management concerns.(b) A way to open plugin settings (chrome://plugins/) on user request (currently shown in the "disabled plugin" placeholder). chrome:// URLs are privileged, and unprivileged renderers cannot ordinarily cause navigation to them.- The current placeholders attempt to do this (though it doesn't seem to work right now) by sending ChromeViewHostMsg_OpenAboutPlugins to the browser process. A call into C++ (via a private binding or event, as above) would let Blink notify the embedder of this event; the embedder could then dispatch an IPC to the browser process similarly to today.- A more webby way of triggering navigation would be to simply have a link. Currently there are two protections against this: First, Chromium (in the renderer) configures Blink to treat the chrome:// scheme as "display isolated", so Blink cancels any navigations to that scheme. Secondly, the browser process filters URLs according to the child's security policy (and this policy causes all chrome:// URLs to be rewritten to about:blank). It might be possible to poke holes in both of these measures to allow this navigation to occur, but this would require careful security consideration.I'd rather avoid having any hole where a regular renderer can navigate to chrome URLs.Does this refer only to (b), or also to (a)? Regular renderers already do have permission to send ChromeViewHostMsg_OpenAboutPlugins to the browser. Using something similar to this was my initial plan; (b) describes what esprehn@'s comment on my CL (https://codereview.chromium.org/740063002/#msg13) would entail.
pinging this thread again after the thanksgiving break...
On Fri Nov 21 2014 at 8:22:10 PM Jochen Eisinger <joc...@chromium.org> wrote:
On Fri Nov 21 2014 at 5:45:36 PM Jeremy Roman <jbr...@chromium.org> wrote:
On Fri, Nov 21, 2014 at 11:30 AM, Jochen Eisinger <joc...@chromium.org> wrote:
Thanks for starting the thread.
On Fri Nov 21 2014 at 4:28:36 PM Jeremy Roman <jbr...@chromium.org> wrote:
This is arguably not a formal Intent to Implement since it isn't a web platform feature per se -- and it's somewhat retroactive -- but I've been asked to adopt this template nonetheless since I intend to use Blink-in-JS in its implementation.
Chromium bug: http://cunusedunusedrbug.com/364716