Contact emails
Spec
Apple developed the spec: https://wicg.github.io/change-password-url
Summary
Websites can set a well-known change-password URL using the format, '/.well-known/change-password', to allow users to quickly navigate to a page allowing them to change their password. Chrome will leverage this URL to help users easily change their weak / compromised passwords following a bulk password check (Desktop, Android, iOS). We want to ship this to 100% in M86.
We’ve published an article announcing that we’ll support '/.well-known/change-password' URL formats: https://web.dev/change-password-url
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
N/A given that this launch isn’t something that developers will need to debug.
Risks
Interoperability and Compatibility
Firefox: Public support (https://bugzilla.mozilla.org/show_bug.cgi?id=1644338)
Safari: Apple developed the spec (https://wicg.github.io/change-password-url)
Ergonomics
N/A considering that we’re not making changes to Blink.
Activation
N/A considering that we’re not making changes to Blink.
Security
N/A considering that we’re not making changes to Blink.
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
N/A considering that we’re not making changes to Blink.
Entry on the feature dashboard
https://chromestatus.com/features/6256768407568384
Tracking bug
Contact emails
Spec
Apple developed the spec: https://wicg.github.io/change-password-url
Summary
Websites can set a well-known change-password URL using the format, '/.well-known/change-password', to allow users to quickly navigate to a page allowing them to change their password. Chrome will leverage this URL to help users easily change their weak / compromised passwords following a bulk password check (Desktop, Android, iOS). We want to ship this to 100% in M86.
We’ve published an article announcing that we’ll support '/.well-known/change-password' URL formats: https://web.dev/change-password-url
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
N/A given that this launch isn’t something that developers will need to debug.
Risks
Interoperability and Compatibility
Firefox: Public support (https://bugzilla.mozilla.org/show_bug.cgi?id=1644338)
Ergonomics
N/A considering that we’re not making changes to Blink.
Activation
N/A considering that we’re not making changes to Blink.
Security
N/A considering that we’re not making changes to Blink.
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
N/A considering that we’re not making changes to Blink.
Entry on the feature dashboard
https://chromestatus.com/features/6256768407568384
Tracking bug
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABAjHBoM-O0UB1DS7ApVhr3Bd1%2BcRqR8ZG0oXqYAJahqaST%2B%2BQ%40mail.gmail.com.
On Fri, Sep 11, 2020 at 11:20 AM Chris Harrelson <chri...@chromium.org> wrote:On Fri, Sep 11, 2020 at 11:10 AM Ali Sarraf <sar...@chromium.org> wrote:Contact emails
Spec
Apple developed the spec: https://wicg.github.io/change-password-url
Summary
Websites can set a well-known change-password URL using the format, '/.well-known/change-password', to allow users to quickly navigate to a page allowing them to change their password. Chrome will leverage this URL to help users easily change their weak / compromised passwords following a bulk password check (Desktop, Android, iOS). We want to ship this to 100% in M86.
We’ve published an article announcing that we’ll support '/.well-known/change-password' URL formats: https://web.dev/change-password-url
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
N/A given that this launch isn’t something that developers will need to debug.
Risks
Interoperability and Compatibility
Firefox: Public support (https://bugzilla.mozilla.org/show_bug.cgi?id=1644338)
This does not count as public support. See this document.
Safari: Apple developed the spec (https://wicg.github.io/change-password-url)
Is it shipped in Safari yet?
Ergonomics
N/A considering that we’re not making changes to Blink.
The ergonomics are still web-developer-exposed, regardless of where the code changes are in Blink.e.g. two questions come to mind:* What should developers expect if they do not implement the server-side feature?
* What if a site has a buggy response to the requests?
* What is the interaction with Service Workers?Three! :)
Activation
N/A considering that we’re not making changes to Blink.
Same answer as above.You've already said that you plan to advertise this feature on web.dev, which is a good activation strategy.
Security
N/A considering that we’re not making changes to Blink.
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
N/A considering that we’re not making changes to Blink.
As above, this is not a good N/A reason. However, I agree that it's unclear what a WPT could possibly test for this feature.--Entry on the feature dashboard
https://chromestatus.com/features/6256768407568384
Tracking bug
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABAjHBoM-O0UB1DS7ApVhr3Bd1%2BcRqR8ZG0oXqYAJahqaST%2B%2BQ%40mail.gmail.com.
Hi Chris,thanks for helping. This is the first time our team goes through the intent to ship process.
On Fri, Sep 11, 2020 at 8:20 PM Chris Harrelson <chri...@chromium.org> wrote:On Fri, Sep 11, 2020 at 11:20 AM Chris Harrelson <chri...@chromium.org> wrote:On Fri, Sep 11, 2020 at 11:10 AM Ali Sarraf <sar...@chromium.org> wrote:Contact emails
Spec
Apple developed the spec: https://wicg.github.io/change-password-url
Summary
Websites can set a well-known change-password URL using the format, '/.well-known/change-password', to allow users to quickly navigate to a page allowing them to change their password. Chrome will leverage this URL to help users easily change their weak / compromised passwords following a bulk password check (Desktop, Android, iOS). We want to ship this to 100% in M86.
We’ve published an article announcing that we’ll support '/.well-known/change-password' URL formats: https://web.dev/change-password-url
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
N/A given that this launch isn’t something that developers will need to debug.
Risks
Interoperability and Compatibility
Firefox: Public support (https://bugzilla.mozilla.org/show_bug.cgi?id=1644338)
This does not count as public support. See this document.https://mozilla.github.io/standards-positions/#change-password-url --> "worth prototyping"
Safari: Apple developed the spec (https://wicg.github.io/change-password-url)
Is it shipped in Safari yet?It launched in Safari 13 (https://developer.apple.com/documentation/safari-release-notes/safari-13-release-notes).Ergonomics
N/A considering that we’re not making changes to Blink.
The ergonomics are still web-developer-exposed, regardless of where the code changes are in Blink.e.g. two questions come to mind:* What should developers expect if they do not implement the server-side feature?If a website does not support this feature, an attempt to navigate to https://www.example.com/.well-known/change-password redirects the user to the homepage (https://www.example.com/).* What if a site has a buggy response to the requests?The spec suggests a clever trick:It is possible that https://www.example.com/.well-known/change-password returns a 200 status even though the server does not support .well-known/change-password and should return 404.To check for this, we validate that https://www.example.com/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 does NOT return a 200 status (actually, we are more conservative and check that it returns a 404).Only if the first request returns a 2xx status (after following redirects) and the latter request returns a 404, we actually navigate the user to the final redirect of .well-known/change-password. In all other cases, we send the user to the homepage.* What is the interaction with Service Workers?Three! :)Frankly, I don't know. Does it help saying that we introduce a NavigationThrottle here and that the request for .well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 is created here as a SimpleURLLoader, which uses the SharedURLLoaderFactory of the default storage partition of the webcontents (see here).
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFa1-K0qOPMsLEEdxqfTVUfvNvgpemJZcbGL_rcm53_BQBQaTw%40mail.gmail.com.
Not touching blink doesn't mean there are not security considerations - e.g., you could modify the omnibox to always display the URL of someone's bank, and that would most definitely be a security problem, but would not touch blink/.More related to this intent, though, sending SameSite=Strict cookies for cross-site change password URLs would be a security issue. I assume we don't cache the redirect destination, but instead navigate directly to the well-known URL, which then might redirect a user across sites, correctly not sending SameSite=strict cookies?
I'll defer to Camille regarding navigation details. I will say that right now all requests should by default be subject to CORS-RFC1918 checks - there is no option to turn those off, AFAIK. Thus the cookieless request should be blocked if insecure.Cheers,Titouan
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEK7mvrNEMQm-%3DSDY6FL_PTx%3Dzf0uzDDYKmA6f6kewb46RN6Og%40mail.gmail.com.
The action items I noted so far:
- Disable the feature for iFrames.
- Set NIK (an example is very welcomed).
- Set initiator (an example is very welcomed).
Anything else?We didn't have trials. The feature is just in 50% Beta now.
Vasilii Sukhanov
Software Engineer
Google Germany GmbH
Erika-Mann-Straße 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde.
This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.
Vasilii Sukhanov
Software Engineer
Google Germany GmbH
Erika-Mann-Straße 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
The action items I noted so far:
- Disable the feature for iFrames.
- Set NIK (an example is very welcomed).
- Set initiator (an example is very welcomed).
Anything else?
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEK7mvrNEMQm-%3DSDY6FL_PTx%3Dzf0uzDDYKmA6f6kewb46RN6Og%40mail.gmail.com.
IsolationInfo is in ResourceRequest::trusted_params. request_initiator is in ResourceRequest itself, though may eventually move into TrustedParams as well.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/UN1BRg4qTbs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b1eb6aab-ab46-49ea-9c90-309ca1f50883o%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEK7mvpcFEJpDeRmcB_owni3ncV%3DnmrfXLFHsL%2BqPkATJvF8Rg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DeJsNSE1tDBDLHzm%2BYe3evki7Dr59vyB9NePpvFFO1tGg%40mail.gmail.com.