Hi API OWNERs! (+cc domenic@ who as an HTML Editor may have opinions)
I'm working on the fenced frames feature and we have a few specific questions about API placement and ergonomics that we feel the API OWNERs may be able to provide guidance on.
Limiting HTMLFencedFrameElement to secure contexts
There has been some discussion around whether or not we want to limit the creation of <fencedframe> elements to secure contexts. Note that this is referring to the secure-ness of the creating page, not the page inside the fenced frame (the latter is limited to potentially-trustworth URLs).
We recognize that on one hand, HTTPs is basically table stakes for most new powerful APIs on the web platform. In this vein, today's known primary consumers of fenced frames do not have any requirements around using them in HTTP sites (i.e., FLEDGE is already limited to secure contexts, etc) so it should be no problem limiting FF construction to secure contexts from that perspective.
On the other hand, is that enough to needlessly limit fenced frame creation to HTTPs pages? The <fencedframe> element, while originally created with today's primary consumers in mind, should be seen as a general frame loading primitive so it is unclear if it is appropriate to preclude all valid use-cases of this on HTTP sites for example. In this vein, while plenty of JS APIs are gated behind the `SecureContext` WebIDL extended attribute, there are currently no HTML elements gated behind this, so gating an element in this way seems novel, and may be less suitable to workarounds since pure-HTML sites could more easily end up with HTMLUnknownElements in place of the <fencedframe>.
We consulted the TAG's design principles doc and found relatively ambiguous guidance, so we decided to see if the API OWNERs had strong opinions in either direction. For Googlers, a link to an internal chat thread about this can be found here, and here is a link to some (unfortunately internal too) discussion around SecureContexts and fenced frames in general (not specifically around creation though).
Where to put fenced-frame-specific APIs
There are going to be a few APIs that we plan on exposing specifically inside the context of a fenced frame. Right now the list is small, but we expect it may grow with future use-cases that depend on fenced frames.
One API is called `reportEvent()`, and despite it living on `navigator` in that example we are not convinced that's its proper home. Another API is one where we can navigate the top-level site in the FLEDGE use case, gated on a user gesture. We are bikeshedding around `navigateOutermostDocument("url")` or so (this would have a corresponding reserved frame name like "_outermost", similar to "_top" and "_parent"). In another use-case for fenced frames, we'd like to read the outermost Document's site before granting read-only unpartitioned storage access (i.e., getTopLevelSite() or so).
We're wondering if the API OWNERs have any guidance on where these APIs should live. Same-origin iframes currently have `window.frameElement` which gives them access to the <iframe> element hosting the inner document, returning null inside cross-origin iframes. We were thinking of something like `window.fencedAPIs` that is a bag of APIs inside a fenced frame (regardless of origin), but null in other documents.
Another option proposed was to consider a new Global identifier for the `Exposed` WebIDL extended attribute. Current valid values are, "Window", "Worker", "SharedWorker", "DedicatedWorker", "ServiceWorker", and the various worklet types. If we were to expose these APIs directly on the `window` global only inside of a fenced frame I believe this would entail basically subclassing `Window` and introducing `FencedWindow` where all of the `Window` APIs are exposed in addition to the fenced APIs. Since there isn't precedent for subclassing the `Window` global we're not sure if our feature warrants this (I'm thinking no)
If this is too ambiguous of a design question we're happy to spend more time on it ourselves; we're mostly interested in seeing if anything seems like a clear no based on existing web platform look and feel.
Specification requirements for Origin Trial
We are under the impression that there are no specification requirement for features going to Origin Trial. We'd like to confirm with API OWNERs that this guidance extends to fenced frames feature too, when we intend to experiment. There is some concern that due to the massive changes our spec will require to fundamental web platform specification primitives such as browsing context groups etc etc, that the API OWNERs will want to see more of a baked specification for fenced frames than is normally required at the experimenting milestone.
While I think a proper specification is critical to ship, I'd like to confirm whether or not API OWNERs see any special requirements for specifications when it comes time to experiment. My impression is that we won't need to treat fenced frames in a special way here, but I'd like to confirm.
Hi API OWNERs! (+cc domenic@ who as an HTML Editor may have opinions)
I'm working on the fenced frames feature and we have a few specific questions about API placement and ergonomics that we feel the API OWNERs may be able to provide guidance on.
Limiting HTMLFencedFrameElement to secure contexts
There has been some discussion around whether or not we want to limit the creation of <fencedframe> elements to secure contexts. Note that this is referring to the secure-ness of the creating page, not the page inside the fenced frame (the latter is limited to potentially-trustworth URLs).
We recognize that on one hand, HTTPs is basically table stakes for most new powerful APIs on the web platform. In this vein, today's known primary consumers of fenced frames do not have any requirements around using them in HTTP sites (i.e., FLEDGE is already limited to secure contexts, etc) so it should be no problem limiting FF construction to secure contexts from that perspective.
On the other hand, is that enough to needlessly limit fenced frame creation to HTTPs pages? The <fencedframe> element, while originally created with today's primary consumers in mind, should be seen as a general frame loading primitive so it is unclear if it is appropriate to preclude all valid use-cases of this on HTTP sites for example. In this vein, while plenty of JS APIs are gated behind the `SecureContext` WebIDL extended attribute, there are currently no HTML elements gated behind this, so gating an element in this way seems novel, and may be less suitable to workarounds since pure-HTML sites could more easily end up with HTMLUnknownElements in place of the <fencedframe>.
We consulted the TAG's design principles doc and found relatively ambiguous guidance, so we decided to see if the API OWNERs had strong opinions in either direction. For Googlers, a link to an internal chat thread about this can be found here, and here is a link to some (unfortunately internal too) discussion around SecureContexts and fenced frames in general (not specifically around creation though).Where to put fenced-frame-specific APIs
There are going to be a few APIs that we plan on exposing specifically inside the context of a fenced frame. Right now the list is small, but we expect it may grow with future use-cases that depend on fenced frames.
One API is called `reportEvent()`, and despite it living on `navigator` in that example we are not convinced that's its proper home. Another API is one where we can navigate the top-level site in the FLEDGE use case, gated on a user gesture. We are bikeshedding around `navigateOutermostDocument("url")` or so (this would have a corresponding reserved frame name like "_outermost", similar to "_top" and "_parent"). In another use-case for fenced frames, we'd like to read the outermost Document's site before granting read-only unpartitioned storage access (i.e., getTopLevelSite() or so).
We're wondering if the API OWNERs have any guidance on where these APIs should live. Same-origin iframes currently have `window.frameElement` which gives them access to the <iframe> element hosting the inner document, returning null inside cross-origin iframes. We were thinking of something like `window.fencedAPIs` that is a bag of APIs inside a fenced frame (regardless of origin), but null in other documents.
Another option proposed was to consider a new Global identifier for the `Exposed` WebIDL extended attribute. Current valid values are, "Window", "Worker", "SharedWorker", "DedicatedWorker", "ServiceWorker", and the various worklet types. If we were to expose these APIs directly on the `window` global only inside of a fenced frame I believe this would entail basically subclassing `Window` and introducing `FencedWindow` where all of the `Window` APIs are exposed in addition to the fenced APIs. Since there isn't precedent for subclassing the `Window` global we're not sure if our feature warrants this (I'm thinking no)
If this is too ambiguous of a design question we're happy to spend more time on it ourselves; we're mostly interested in seeing if anything seems like a clear no based on existing web platform look and feel.
Specification requirements for Origin Trial
We are under the impression that there are no specification requirement for features going to Origin Trial. We'd like to confirm with API OWNERs that this guidance extends to fenced frames feature too, when we intend to experiment. There is some concern that due to the massive changes our spec will require to fundamental web platform specification primitives such as browsing context groups etc etc, that the API OWNERs will want to see more of a baked specification for fenced frames than is normally required at the experimenting milestone.
While I think a proper specification is critical to ship, I'd like to confirm whether or not API OWNERs see any special requirements for specifications when it comes time to experiment. My impression is that we won't need to treat fenced frames in a special way here, but I'd like to confirm.Please let me know if I can provide any more information or clear anything up.Thanks,Dom
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAP-uykDJCN7%3DaExGBUy4NyZi39QduE1CtLjuPgHGnN1ST2iVZA%40mail.gmail.com.