Hi API owners,Carlos and I just met with +Chris Harrelson to discuss the M92 cross-origin JS dialogs deprecation. We agreed to Finch the change off for 2 weeks to allow developers to adopt the reverse origin trial and to gather feedback from any developers for whom the reverse OT isn't sufficient for whatever reason.
However, Carlos and I are concerned about the same thing happening again when we re-enable it -- yet more affected developers coming out of the woodwork then, delaying for yet another release, etc. Since this change has already been delayed several times, we want to see what we can do to make sure we don't just keep delaying indefinitely. In particular, we're hoping we can agree with you all that if no major partners are unable to use the reverse OT, that we'll re-enable in 2 weeks and not delay again.We are also happy to discuss further outreach that could be done for this change.
However, we feel like we've followed all the usual processes
and at some point there are always going to be developers who only find out about a breaking change at the last minute, so we want to avoid getting into a cycle of perpetually delaying, especially when we've had so many escape hatches already (multiple announcements, enterprise policy, reverse OT, etc.).
--Thanks!Emily
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAPP_2SatmpOrzQ14Tj1b4jca_Nwnz5C2ivP7aRak7iAVPEm%2Bmg%40mail.gmail.com.
Not going to add much beyond what Yoav said, but I appreciate what you are trying to do, even if it's hard. This week will, for good and bad, have acted as a wake-up call for those that depend on it and it seems to have given us some information about who critically depend on it and were not reached by previous communication.
Please don't see our request to pause shipping as criticism of
your work. You followed the process, and we (API owners) thought
the change would work and if that was wrong, then we were also
wrong. Now there will be some breathing room to figure out how to
proceed (good thing you had it finchable!).
In the posts on blink-dev I have picked up a couple of things:
* "Cross origin" limitations are not fully understood. Some people think this is blocked for all iframes.
* Alternatives are not known/understood, be it document.body.innerText += "message" or console.log("message") or something else.
* Alternatives are not considered "good enough".
* The purpose of the change is not understood. In what way will web developers (long term) benefit from this change.
* The origin trial to buy an extra couple of months time is not
understood, and will apparently not work for users behind certain
firewalls.
Nothing here looks like a long term showstopper, but I'm not sure
how to communicate all this to most of those that will need to
hear it in a couple of weeks, if it turns out to be many of them.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAL5BFfWtbTqHbn9GvKHEFEW8mQeb_HnY6Xx4iw0T%3DiUcTgHOEw%40mail.gmail.com.
Hey Emily!
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAPP_2SatmpOrzQ14Tj1b4jca_Nwnz5C2ivP7aRak7iAVPEm%2Bmg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
Hey Emily!
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAPP_2SatmpOrzQ14Tj1b4jca_Nwnz5C2ivP7aRak7iAVPEm%2Bmg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
Sorry. I'm ooo. +Rob Dodson as fyi from a docs perspective.It should be on developer.chrome.com with an explainer about what it is and some beat practices to mitigate it, and then be linked to from console warnings etc. It feels like there should be proactive engagement with partners, frameworks and other tools that exhibit this behaviour so they are at least informed of the change or actively working on it.... But that might have already happened given the change
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CADGdg3A2H5FPu5G5oK5PJcCp4-%2B3Ez5AAMUQKb2WkwhLEv_HDw%40mail.gmail.com.
Hey Emily!
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAPP_2SatmpOrzQ14Tj1b4jca_Nwnz5C2ivP7aRak7iAVPEm%2Bmg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAL5BFfWtbTqHbn9GvKHEFEW8mQeb_HnY6Xx4iw0T%3DiUcTgHOEw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
I'm very worried about the 2 week window; it feels extraordinarily rushed given the scale of the breakage being reported. We wouldn't make any TLS changes w/ a window this short, e.g.Would like for us to recalibrate this change in terms of releases rather than weeks, with metrics gating moving to each more restrictive stage.
On Tuesday, August 3, 2021 at 8:44:39 AM UTC-7 Domenic Denicola wrote:
Hey Emily!
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAPP_2SatmpOrzQ14Tj1b4jca_Nwnz5C2ivP7aRak7iAVPEm%2Bmg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAL5BFfWtbTqHbn9GvKHEFEW8mQeb_HnY6Xx4iw0T%3DiUcTgHOEw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
Alex, can you clarify how you are quantifying the scale of the breakage? Breakage is not extremely high by any of the typical metrics (<0.01% of page loads, <0.01% of HTTP Archive results), so again, we'd really like to know what goal posts we are aiming for. We have literally no idea right now if the metric we should be aiming for is usage metrics, complaints on the blink-dev thread/bug reports, major partner escalations, all of the above, or something else.
Two additional notes: (1) this change has nothing to do with TLS so I'm not sure if the comparison there is useful -- TLS deprecations are typically targeting a different audience (server admins rather than web developers) and have very different mitigation strategies, and (2) just to be clear, 2 weeks is not the deprecation period -- the original intent for this change was first sent over a year ago, and has already been delayed several times with ongoing advertisement in typical forums like chromestatus.com, release notes, and console messages. The last time we tried to ship this, we were asked to add a reverse origin trial, which we did and delayed by a release -- so this 2 week delay is intended to just give a break to sites that only just now found out about the origin trial.
Unfortunately, while we feel strongly that this change is the right thing for the web, it's not a super time-sensitive high priority for our team, and we don't have the resources to drive a full-scale outreach effort around it, especially one that includes 1:1 engagements, and especially if we can't define what would make it comfortable to ship. We may have to delay indefinitely if DevRel doesn't have the cycles for it either or if we can't find another owner to drive it. Not saying this as a threat :) just wanting to be clear and upfront about what amount of time we can commit.
On Tue, Aug 3, 2021 at 12:13 PM Alex Russell <sligh...@chromium.org> wrote:
I'm very worried about the 2 week window; it feels extraordinarily rushed given the scale of the breakage being reported. We wouldn't make any TLS changes w/ a window this short, e.g.Would like for us to recalibrate this change in terms of releases rather than weeks, with metrics gating moving to each more restrictive stage.
On Tuesday, August 3, 2021 at 8:44:39 AM UTC-7 Domenic Denicola wrote:
Hey Emily!
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAPP_2SatmpOrzQ14Tj1b4jca_Nwnz5C2ivP7aRak7iAVPEm%2Bmg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAL5BFfWtbTqHbn9GvKHEFEW8mQeb_HnY6Xx4iw0T%3DiUcTgHOEw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-discuss+unsub...@chromium.org.
Yeah, and I think that speaks to my fear here. We heard from major SAS providers that this was a crisis, and that fixes will involve a long chain of suppliers. Our collective data sets have a pretty bad enterprise blindness effect, which I think we're seeing in here. Lacking data we can trust, ISTM that we're going to need to manage this on an enterprise-software time-scale, and perhaps solicit SAS vendors or enterprises who'd be willing to work with us to signal an "all clear" w/ their populations, e.g. by testing fractional rollout/removal of an OT.
I suppose my goal for this thread is to come up with a concrete list of what we need to do and/or criteria for deciding whether the change can stick the next time we re-enable it. Should we be aiming for no escalations from major partners? Some maximum quantity of complaints/bug reports? Or if it's more subjective and we can't really come up with a concrete list, that's fine, but it'd be helpful to know that upfront so we can prioritize our time/energy.
My concern is that these breaks have a cumulative reputational effect on the project
Hey Emily!
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAPP_2SatmpOrzQ14Tj1b4jca_Nwnz5C2ivP7aRak7iAVPEm%2Bmg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/CAL5BFfWtbTqHbn9GvKHEFEW8mQeb_HnY6Xx4iw0T%3DiUcTgHOEw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
For those that may not know me my name is Greg Whitworth, a director at Salesforce and lead our Standards & Web Platform v-team here (it's early days, but continuing to grow).Thanks for adding me Alex, this thread captures my concerns as well as Salesforce was incredibly impacted by this with over 100 customer reports filed (while I can't share names, just assume many companies in the Fortune 100 were impacted with direct impact to their LOB). Many have direct impact on business efficiency and some were completely blocked due to the way in which some ISVs build on the platform.Yeah, and I think that speaks to my fear here. We heard from major SAS providers that this was a crisis, and that fixes will involve a long chain of suppliers. Our collective data sets have a pretty bad enterprise blindness effect, which I think we're seeing in here. Lacking data we can trust, ISTM that we're going to need to manage this on an enterprise-software time-scale, and perhaps solicit SAS vendors or enterprises who'd be willing to work with us to signal an "all clear" w/ their populations, e.g. by testing fractional rollout/removal of an OT.If it's possible, can we move some of the proposed options to this doc I spun up for the retro of this as we're doing one internally at Salesforce as well and I'd like to leverage this moment to possibly discuss opening up the enterprise black box. I'm not sure how feasible the technical options are but it's worth discussing at the very least.
One question I was hoping you (or others) could give us insight into, is why this only flared up after the change hit Stable. I can understand that not everyone has time to read the beta release blog posts or monitor ChromeStatus. But I would have expected the in-product changes to help. Do any of your customers test with Canary/Dev/Beta? Did they see the console warnings that were logged for the last ~year? Any insight would be helpful here, when discussing the larger question of how to communicate breaking changes like this.
most seem to be easily accommodated by the enterprise policy and/or reverse origin trial
Not going to add much beyond what Yoav said, but I appreciate what you are trying to do, even if it's hard. This week will, for good and bad, have acted as a wake-up call for those that depend on it and it seems to have given us some information about who critically depend on it and were not reached by previous communication.
Please don't see our request to pause shipping as criticism of your work. You followed the process, and we (API owners) thought the change would work and if that was wrong, then we were also wrong. Now there will be some breathing room to figure out how to proceed (good thing you had it finchable!).
In the posts on blink-dev I have picked up a couple of things:
* "Cross origin" limitations are not fully understood. Some people think this is blocked for all iframes.
* Alternatives are not known/understood, be it document.body.innerText += "message" or console.log("message") or something else.
* Alternatives are not considered "good enough".
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/5f230aaa-1884-516e-7d1d-01c456dcdd9c%40gmail.com.