Intent to Ship: First-party sets

28 144 megtekintés
Ugrás az első olvasatlan üzenetre

Johann Hofmann

olvasatlan,
2023. márc. 20. 17:31:592023. 03. 20.
– blink-dev, cfre...@chromium.org, shu...@chromium.org, kaust...@chromium.org

Contact emails

cfre...@chromium.org, shu...@chromium.org, kaust...@chromium.org, joha...@chromium.org


Explainer

https://github.com/WICG/first-party-sets


Specification

https://wicg.github.io/first-party-sets


Design docs

First-Party Sets: Initial prototype description

First-Party Sets Prototype Design Doc


Summary

First-Party Sets (“FPS”) provides a framework for developers to declare relationships among sites, to enable limited cross-site cookie access for specific, user-facing purposes. This is facilitated through the use of the Storage Access API and requestStorageAccessFor API.


The First-Party Sets proposal that we intend to ship significantly differs from its originally proposed design, as we have incorporated feedback from various stakeholders. An overview of what changed and why can be found here.


It’s important to note that because of its integration with the Storage Access API and requestStorageAccessFor, FPS is not a feature that is directly web-exposed. We still consider its overall impact on the web platform to be big enough to follow the blink launch process.


We have submitted adjacent Intents to Ship both requestStorageAccess and requestStorageAccessFor.



Blink component

Privacy


TAG review

https://github.com/w3ctag/design-reviews/issues/342


TAG review status

Pending


Risks



Interoperability and Compatibility

This is not a breaking change. To use it, sites will need to opt in to using First-Party Sets. There is no change to existing behavior for sites not opting in to First-Party Sets.



Gecko: Negative (https://github.com/mozilla/standards-positions/issues/350)


WebKit: Negative (https://github.com/WebKit/standards-positions/issues/93)


Web developers: Positive. FPS has been extensively discussed during its incubation in the Privacy CG and the WICG. Throughout this discussion we've consistently seen great interest and participation by web developers.



Other signals: Edge: Positive. Microsoft has been “generally supportive of the effort” since 2020 and had a co-editor on the spec for a while. Edge, in conversations, has confirmed their intent to support FPS after it ships in Chrome. Through the component updater the FPS list should be available to Edge. We will work with the Edge team to make sure that they can potentially host their own version of the (same) list and to ensure cooperation on managing the list.


Ergonomics

Use of the Storage Access API requires sites to run JavaScript before they can access their cookies. No performance concerns.



Activation

Site owners will need to register their first-party sets in a public process, categorizing their usage in subsets and passing a number of technical checks, such as verifying ownership with a /.well-known/ file. The submission guidelines and checks are described in full detail on https://github.com/GoogleChrome/first-party-sets/blob/main/FPS-Submission_Guidelines.md


This feature is meant to allow developers to preserve critical use cases (e.g., shared infrastructure across ccTLDs, service domains)  when Chrome deprecates third-party cookies. As such, it will provide only limited utility right now, but give developers an important head start in testing and preparing their sites for the upcoming deprecation.


FPS will require usage of the Storage Access API and/or requestStorageAccessFor API to have a web-observable effect. This improves cross-browser compatibility (for Storage Access API) but might come with some migration cost for developers that were previously relying on passive cookie access without JavaScript calls.



Security

None



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No



Debuggability

We show a DevTools warning when third-party cookies are blocked and the top-level site is in the same First-Party Set as the embedded site. Further developer tooling will likely be needed to support the eventual deprecation of third-party cookies.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No. This will be supported on Windows, Mac, Linux, Chrome OS, and Android, but will not initially be supported on Android WebView. The First-Party Set information is consumed only by Chrome's implementation of the Storage Access API, which is not implemented in Android WebView.



Is this feature fully tested by web-platform-tests?

No WPTs, as this isn't directly exposed to web content. Both rSA and rSAFor (through which this is exposed) have WPTs.


Flag name

FirstPartySets


Requires code in //chrome?

True


Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1175191


Estimated milestones

Shipping in M113.




Anticipated spec changes

We don't expect backwards-incompatible changes to the general mechanics and web platform integration of FPS. We may improve the policy and technical checks of the submission process. To help with this, submitters should expect that sets will be subject to expiration and / or renewal requirements.


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5640066519007232


Links to previous Intent discussions

Intent to prototype: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/0EMGi-xbI-8/m/FgSjq6TtBwAJ

Intent to Experiment: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/XkWbQKrBzMg



This intent message was generated by Chrome Platform Status.


Yoav Weiss

olvasatlan,
2023. márc. 29. 5:44:342023. 03. 29.
– Johann Hofmann, blink-dev, cfre...@chromium.org, shu...@chromium.org, kaust...@chromium.org
Thanks for filing this intent. I agree with your analysis that it's not directly web-exposed, and as such, I don't think LGTMs are required (but still appreciate the intent as required context for rSA and rSAF).
We'll see if other API owners disagree.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4jfJ3tEbyWMX6RgJMFhhNe5t5aScd9kNerYMC8THe1-Sg%40mail.gmail.com.

Martin Thomson

olvasatlan,
2023. márc. 31. 3:32:422023. 03. 31.
– Yoav Weiss, Johann Hofmann, blink-dev, cfre...@chromium.org, shu...@chromium.org, kaust...@chromium.org
As long as FPS affects how the web operates in any way, it should be subject to standardization and - I would expect - the same review as any other feature.

Mozilla's view remains that this is not good for the web; we would very much prefer if this feature were not shipped in Chromium as we believe that it will have an adverse effect on our users if you do that.  (We also believe that it will have an adverse effect on Chrome users, but that is less directly concerning to us.)

Regards,
Martin

Chris Harrelson

olvasatlan,
2023. márc. 31. 11:31:102023. 03. 31.
– Martin Thomson, Yoav Weiss, Johann Hofmann, blink-dev, cfre...@chromium.org, shu...@chromium.org, kaust...@chromium.org
Hi Martin,

On Fri, Mar 31, 2023 at 12:32 AM Martin Thomson <m...@mozilla.com> wrote:
As long as FPS affects how the web operates in any way, it should be subject to standardization and - I would expect - the same review as any other feature.

With the plan Yoav is suggesting, the Blink API owners would still review it carefully, but in the context of the other intents that involve web-exposed behavior. In the end, which email we reply to is a technicality; either way, we'll review the entire feature set.

Alex Russell

olvasatlan,
2023. ápr. 5. 11:57:072023. 04. 05.
– blink-dev, Chris Harrelson, Yoav Weiss, Johann Hofmann, blink-dev, Chris Fredrickson, Shuran Huang, Kaustubha Govind, Martin Thomson
Per today's OWNERS meeting, Daniel raised the point that we need a place to approve/dispose the overall FPS direction rather than the smaller point features, so for that reason I'm going to LGTM1 this here (contra Yoav's previous message).

Best,

Alex

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Yoav Weiss

olvasatlan,
2023. ápr. 7. 11:37:162023. 04. 07.
– Alex Russell, blink-dev, Chris Harrelson, Johann Hofmann, Chris Fredrickson, Shuran Huang, Kaustubha Govind, Martin Thomson
Given the above, LGTM2

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/02233b55-3d98-438a-a4be-abb06e180ea3n%40chromium.org.

Mike Taylor

olvasatlan,
2023. ápr. 7. 12:45:412023. 04. 07.
– Yoav Weiss, Alex Russell, blink-dev, Chris Harrelson, Johann Hofmann, Chris Fredrickson, Shuran Huang, Kaustubha Govind, Martin Thomson

After re-reading the spec, explainer, related discussions, and related prior art over the past week or so, I believe that First Party Sets solves important use cases, especially in a post-third-party cookie world.

LGTM3.

Chris Fredrickson

olvasatlan,
2023. máj. 17. 15:11:352023. 05. 17.
– blink-dev, Mike Taylor, blink-dev, Chris Harrelson, Johann Hofmann, Chris Fredrickson, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell
Thanks all. Just an update - we're rolling First-Party Sets out to 1% on Chrome M113 Stable now, and plan to ramp up to 100% over the next few weeks (barring metrics regressions). 

Given the above, LGTM2

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Andrey Lipattsev

olvasatlan,
2023. máj. 30. 8:57:202023. 05. 30.
– blink-dev, Chris Fredrickson, Mike Taylor, blink-dev, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell
How far along is this now? Are we at 100%?

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Chris Fredrickson

olvasatlan,
2023. máj. 30. 10:36:342023. 05. 30.
– blink-dev, Andrey Lipattsev, Chris Fredrickson, Mike Taylor, blink-dev, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell
Hi Andrey,

We're still collecting metrics at 1%. We want to be sure that this feature does not regress core web vitals, which is why we're taking our time and analyzing thoroughly. I will post here when we roll out to 100% (which I expect to be soon, within the next week or so -- if all continues to go well).

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Andrey Lipattsev

olvasatlan,
2023. máj. 31. 10:02:252023. 05. 31.
– blink-dev, Chris Fredrickson, Andrey Lipattsev, Mike Taylor, blink-dev, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell
Sweet, thanks Chris!

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Hugo Bärtges

olvasatlan,
2023. jún. 20. 11:35:342023. 06. 20.
– blink-dev, Andrey Lipattsev, Chris Fredrickson, Mike Taylor, blink-dev, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell
Have we reached the planned 100% of Chrome users by June 16th? 

David Adrian

olvasatlan,
2023. jún. 21. 14:01:442023. 06. 21.
– Hugo Bärtges, blink-dev, Andrey Lipattsev, Chris Fredrickson, Mike Taylor, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell
Is this I2S still using the externally managed JSON blob to identify first party sets, and shipping via Component Updater, i.e. there is not yet a dynamic way to specify First-Party Sets?

Chris Fredrickson

olvasatlan,
2023. jún. 21. 17:15:512023. 06. 21.
– blink-dev, dad...@google.com, blink-dev, Andrey Lipattsev, Chris Fredrickson, Mike Taylor, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell, Hugo Bärtges
Hugo: no, we are still examining metrics and evaluating. I will post to this thread when I have updates.

David: Yes, this implementation consumes the JSON blob from https://github.com/GoogleChrome/first-party-sets via Component Updater. (There's also an enterprise policy that can be used to configure enterprise-internal sets.)

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Chris Fredrickson

olvasatlan,
2023. jún. 28. 13:34:572023. 06. 28.
– blink-dev, Chris Fredrickson, dad...@google.com, blink-dev, Andrey Lipattsev, Mike Taylor, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell, Hugo Bärtges
Hi all,

Our metrics analysis has identified a possible regression in some Core Web Vitals on Android. We have rolled out First-Party Sets to 10% on Stable, but are pausing the rollout here to collect more data and evaluate a proposed fix before rolling out more broadly. We will keep this thread updated with future changes - thanks.

Chris Fredrickson

olvasatlan,
2023. szept. 29. 12:36:012023. 09. 29.
– blink-dev, Chris Fredrickson, dad...@google.com, blink-dev, Andrey Lipattsev, Mike Taylor, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell, Hugo Bärtges
Hi all,

We've concluded our metrics analysis, and are rolling this feature out to 100% of Chrome Stable clients. (We mitigated one regression in browser startup time, and confirmed that all other possible regressions were false positives.) Thank you for your patience.

By way of other updates, the First-Party Sets project was recently renamed to Related Website Sets; more information on that can be found here. (We're in the process of updating relevant documentation, strings, classes, etc.) Additionally, Chrome announced a change in the size limit for the associated subset; it is now 5 (increased from 3). The increased limit will roll out to Chrome clients over the next week or two.

Rick Byers

olvasatlan,
2023. szept. 29. 14:01:562023. 09. 29.
– Chris Fredrickson, blink-dev, dad...@google.com, Andrey Lipattsev, Mike Taylor, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell, Hugo Bärtges
Thanks for the updates Chris!

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

ابوعمار الغظنفر

olvasatlan,
2024. aug. 29. 17:08:24aug. 29.
– blink-dev, Rick Byers, blink-dev, dad...@google.com, Andrey Lipattsev, Mike Taylor, Chris Harrelson, Johann Hofmann, Shuran Huang, Kaustubha Govind, Martin Thomson, Yoav Weiss, Alex Russell, Hugo Bärtges, Chris Fredrickson
Válasz mindenkinek
Válasz a szerzőnek
Továbbítás
0 új üzenet