Intent to Deprecate and Relaunch: CHIPS on WebView

Visto 14.939 veces
Saltar al primer mensaje no leído

Dylan Cutler

no leída,
29 may 2024, 17:02:5129/5/24
a blin...@chromium.org

Hello Blink API Owners,


We’re seeking approval to unship and relaunch CHIPS (a.k.a. partitioned cookies) in Android WebView only.


Rationale

The WebViewClient supports a method, shouldInterceptRequest, which allows developers to intercept network activity and modify HTTP headers, etc. This API does not have access to the Cookie header and relies on the Android CookieManager API in order to query what cookies are available for a particular request URL. This is because the request is intercepted before it is sent to the network service, where the Cookie header is added. However, partitioned cookies are double-keyed on the top-level site and the site of the URL using the cookies.


Currently, the CookieManager API provides no way for developers to query partitioned cookies correctly, and this will cause a mismatch between what the Java API returns and what frames in WebView will actually be in their Cookie header. In hindsight, this seems risky and prone to bugs, and not something the CHIPS team had considered while designing the API.


After discussing this with the WebView team, we believe that the option that will minimize potential app breakage is to disable CHIPS on WebView until we are able to ship support for the Cookie header to shouldInterceptRequest. We will release the changes to shouldInterceptRequest in the next target SDK version (API level 36).


We will reconsider our decision to unlaunch CHIPS in WebView if we get feedback from the community that this would cause significant disruption.


Behavior after deprecation:

Cookies set with the Partitioned attribute on WebView will have the attribute ignored, and the cookie will be treated as unpartitioned. Any existing partitioned cookies created in WebView will be deleted to avoid conflicts across different partitions and the unpartitioned cookie jar.


All other platforms besides WebView will still have the Partitioned attribute enabled.


Timeline:

We plan to turn down CHIPS on WebView in M127.


We will relaunch CHIPS along with Android W, which will include changes to the Android CookieManager API, in 2025.


Thanks,

Dylan Cutler

Vladimir Levin

no leída,
30 may 2024, 23:12:0330/5/24
a Dylan Cutler,blin...@chromium.org
On Wed, May 29, 2024 at 5:02 PM 'Dylan Cutler' via blink-dev <blin...@chromium.org> wrote:

Hello Blink API Owners,


We’re seeking approval to unship and relaunch CHIPS (a.k.a. partitioned cookies) in Android WebView only.


Rationale

The WebViewClient supports a method, shouldInterceptRequest, which allows developers to intercept network activity and modify HTTP headers, etc. This API does not have access to the Cookie header and relies on the Android CookieManager API in order to query what cookies are available for a particular request URL. This is because the request is intercepted before it is sent to the network service, where the Cookie header is added. However, partitioned cookies are double-keyed on the top-level site and the site of the URL using the cookies.


Currently, the CookieManager API provides no way for developers to query partitioned cookies correctly, and this will cause a mismatch between what the Java API returns and what frames in WebView will actually be in their Cookie header. In hindsight, this seems risky and prone to bugs, and not something the CHIPS team had considered while designing the API.


After discussing this with the WebView team, we believe that the option that will minimize potential app breakage is to disable CHIPS on WebView until we are able to ship support for the Cookie header to shouldInterceptRequest. We will release the changes to shouldInterceptRequest in the next target SDK version (API level 36).


We will reconsider our decision to unlaunch CHIPS in WebView if we get feedback from the community that this would cause significant disruption.


Behavior after deprecation:

Cookies set with the Partitioned attribute on WebView will have the attribute ignored, and the cookie will be treated as unpartitioned. Any existing partitioned cookies created in WebView will be deleted to avoid conflicts across different partitions and the unpartitioned cookie jar.


This sounds like a pretty noticeable breakage. Are there any estimates on how many apps/users/developers would be impacted by this change?

Also, as a point of process, I think this may require an intent to deprecate and remove in the chromestatus, although because this is only for WebView, I'm not entirely sure if there's a precedent.

Thanks!
Vlad
 

All other platforms besides WebView will still have the Partitioned attribute enabled.


Timeline:

We plan to turn down CHIPS on WebView in M127.


We will relaunch CHIPS along with Android W, which will include changes to the Android CookieManager API, in 2025.


Thanks,

Dylan Cutler

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMCNMFQOPkYjRxrs68q%2BHxebt-JWCopZ6Rq9r0O80dQF8PWwRg%40mail.gmail.com.

Dylan Cutler

no leída,
5 jun 2024, 10:36:265/6/24
a Vladimir Levin,blin...@chromium.org
Hey Vlad,

Thanks for your response and interest in the intent. I can see two paths going forward.

  1. We query UMA to determine just what percentage of WebView apps embed content using CHIPS (and in how many partitions). We can also use these metrics to identify the top apps who embed users of CHIPS and make sure this change would not lead to disruptions. If that proves to be enough so that you are no longer concerned about breakage then we could move forward. Otherwise, we move on to approach (2).
  2. We refactor our code so that if CHIPS is disabled in WebView, rather than deleting partitioned cookies we could convert them to unpartitioned. If the user has an unpartitioned cookie with the same name/domain/path, then we would delete the partitioned cookie in favor of the unpartitioned one. If multiple cookies exist in different partitions and no such unpartitioned cookie exists, we would fall back on the most recently used cookie. It is worth noting, this technique is complex and could have its own risks, so we'd like to leave it as a last resort.
Let me know what you think, and if this sounds acceptable, I can get that data from UMA to start to inform if we want to pursue the algorithm in (2).

Thanks,
Dylan

Vladimir Levin

no leída,
5 jun 2024, 11:55:465/6/24
a Dylan Cutler,blin...@chromium.org
Hey,

The first item looks like a good starting point. We can discuss possible solutions when we know how much usage there is.

For visibility, can you please file a chromestatus entry for this intent?

Thanks,
Vlad

Dylan Cutler

no leída,
28 jun 2024, 16:28:4128/6/24
a Vladimir Levin,blin...@chromium.org
Hey Vlad,

Thanks for your response. I have completed the analysis and have some results to report. I also have created the Chromestatus entry as requested.

Here are some stats that give a picture of CHIPS usage on WebView
  • Global percentage of requests from WebView clients that contain partitioned cookies:  33%
  • Global percentage of requests from WebView that contain a single partitioned cookie: 29%

  • Average percentage of requests from a single WebView app that contain partitioned cookies: 10%
  • Average percentage of requests from a single WebView app that contain a single partitioned cookie: 7%

  • Global percentage of CHIPS we estimate to be the receive-cookie-deprecation opt-in cookie: 54%
  • Average percentage of CHIPS that each app has stored that we estimate to be the receive-cookie-deprecation opt-in cookie: 55%

  • The percentage of apps using CHIPS: 73%
  • The percentage of apps using the receive-cookie-deprecation opt in cookie: 66%
The majority of usage of CHIPS is for the 3PCD facilitated testing opt-in cookie, which will not be impacted by this change since this cookie merely serves to opt into browser behavior that is not available on WebView regardless.

That being said, we do see usage of CHIPS is significant on WebView, so we have to weigh our options. Is it more disruptive to delete the cookies, silently change their behavior to unpartitioned, or to do nothing until shouldInterceptRequest supports the Cookie header. I am also curious to hear your take.

Best,
Dylan

Charles Bernales

no leída,
1 jul 2024, 2:00:581/7/24
a Dylan Cutler,Vladimir Levin,blin...@chromium.org
You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/_hHg5MASz4s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMCNMFQObcMXRVrxrq%3DhHSWV8L9uxDpWhrSJ3xQDNb53RH6DVA%40mail.gmail.com.
Samsung Galaxy Store.html

Vladimir Levin

no leída,
9 jul 2024, 10:20:499/7/24
a Dylan Cutler,blin...@chromium.org
On Fri, Jun 28, 2024, 16:28 'Dylan Cutler' via blink-dev <blin...@chromium.org> wrote:
Hey Vlad,

Thanks for your response. I have completed the analysis and have some results to report. I also have created the Chromestatus entry as requested.

Here are some stats that give a picture of CHIPS usage on WebView
  • Global percentage of requests from WebView clients that contain partitioned cookies:  33%
  • Global percentage of requests from WebView that contain a single partitioned cookie: 29%

  • Average percentage of requests from a single WebView app that contain partitioned cookies: 10%
  • Average percentage of requests from a single WebView app that contain a single partitioned cookie: 7%

  • Global percentage of CHIPS we estimate to be the receive-cookie-deprecation opt-in cookie: 54%
  • Average percentage of CHIPS that each app has stored that we estimate to be the receive-cookie-deprecation opt-in cookie: 55%

  • The percentage of apps using CHIPS: 73%
  • The percentage of apps using the receive-cookie-deprecation opt in cookie: 66%
The majority of usage of CHIPS is for the 3PCD facilitated testing opt-in cookie, which will not be impacted by this change since this cookie merely serves to opt into browser behavior that is not available on WebView regardless.

That being said, we do see usage of CHIPS is significant on WebView, so we have to weigh our options. Is it more disruptive to delete the cookies, silently change their behavior to unpartitioned, or to do nothing until shouldInterceptRequest supports the Cookie header. I am also curious to hear your take.

Thank you for the analysis. Can you help me understand what percentage of webview apps do you expect would experience a breakage if delete the cookies? My understanding is that it's around 33% assuming that global requests are distributed evenly across apps? Although that doesn't seem to be a valid assumption to make.

It does sound like it's not going to be a small number. I'm also assuming that a single cookie case is interesting because these are the cases that can be moved to be unpartitioned with no collisions, is that right? If so the remainder of breakages seems large as well.

The type of breakage would be temporary but noticeable, like a need to sign in again. However, it can also be as bad as losing arbitrary data that would have been stored in that cookie. Is that correct?

You noted that the current behavior is a mismatch between what webview sees and what the cookie manager can access in java. Do we know how frequently cookie manager is used in these cases? I'm trying to estimate actual inconsistent behavior that this is trying to fix and if that worth the risk of breakage for all partitioned cookies

Also, what's the timeline for shipping the cookie manager fix that would be able to deal with partitioned cookies properly?

Thanks,
Vlad

Torne (Richard Coles)

no leída,
11 jul 2024, 13:17:4011/7/24
a Vladimir Levin,Dylan Cutler,blin...@chromium.org
On Tue, 9 Jul 2024 at 10:20, Vladimir Levin <vmp...@chromium.org> wrote:


On Fri, Jun 28, 2024, 16:28 'Dylan Cutler' via blink-dev <blin...@chromium.org> wrote:
Hey Vlad,

Thanks for your response. I have completed the analysis and have some results to report. I also have created the Chromestatus entry as requested.

Here are some stats that give a picture of CHIPS usage on WebView
  • Global percentage of requests from WebView clients that contain partitioned cookies:  33%
  • Global percentage of requests from WebView that contain a single partitioned cookie: 29%

  • Average percentage of requests from a single WebView app that contain partitioned cookies: 10%
  • Average percentage of requests from a single WebView app that contain a single partitioned cookie: 7%

  • Global percentage of CHIPS we estimate to be the receive-cookie-deprecation opt-in cookie: 54%
  • Average percentage of CHIPS that each app has stored that we estimate to be the receive-cookie-deprecation opt-in cookie: 55%

  • The percentage of apps using CHIPS: 73%
  • The percentage of apps using the receive-cookie-deprecation opt in cookie: 66%
The majority of usage of CHIPS is for the 3PCD facilitated testing opt-in cookie, which will not be impacted by this change since this cookie merely serves to opt into browser behavior that is not available on WebView regardless.

That being said, we do see usage of CHIPS is significant on WebView, so we have to weigh our options. Is it more disruptive to delete the cookies, silently change their behavior to unpartitioned, or to do nothing until shouldInterceptRequest supports the Cookie header. I am also curious to hear your take.

Thank you for the analysis. Can you help me understand what percentage of webview apps do you expect would experience a breakage if delete the cookies? My understanding is that it's around 33% assuming that global requests are distributed evenly across apps? Although that doesn't seem to be a valid assumption to make.

Right, it won't be distributed evenly because apps load different sites, and whether partitioned cookies are used is primarily down to the site. It's not entirely straightforward to figure out how this is distributed across apps.
 
It does sound like it's not going to be a small number. I'm also assuming that a single cookie case is interesting because these are the cases that can be moved to be unpartitioned with no collisions, is that right? If so the remainder of breakages seems large as well.

The type of breakage would be temporary but noticeable, like a need to sign in again. However, it can also be as bad as losing arbitrary data that would have been stored in that cookie. Is that correct?

Yes, though for many apps the breakage would be nothing - lots of apps use WebView in a way where there is *no* meaningful data stored via web mechanisms.
 
You noted that the current behavior is a mismatch between what webview sees and what the cookie manager can access in java. Do we know how frequently cookie manager is used in these cases? I'm trying to estimate actual inconsistent behavior that this is trying to fix and if that worth the risk of breakage for all partitioned cookies

This is not the only issue; there's a bigger problem with apps that intercept network requests from WebView - because the interception happens extremely early in the request lifecycle, the request information that gets passed to the app does not include any cookie headers at all (regardless of partitioning), and if the app does choose to intercept the request and return a response, any Set-Cookie headers in the response are *also* not processed. This means that when apps are doing this kind of interception they need to use the CookieManager APIs to get the cookies for the request and attach them themselves, and likewise need to set cookies manually using CookieManager for responses.

It's impossible for apps to do this correctly for partitioned cookies, and extending the CookieManager APIs to allow getting/setting partitioned cookies is not sufficient to fix it: the request interception API doesn't provide any 1P/3P context information and so the app has no way to know which partition key to pass to the API to get/set the cookies correctly. This also means that any future changes to cookie behavior are likely to cause similar problems.

bewise@ is working on changes to the request interception behavior to handle the cookie headers automatically to fix this (e.g. https://chromium-review.googlesource.com/c/chromium/src/+/5616051) but this is significantly more difficult than just extending the CookieManager API, as this requires changing the behavior of existing APIs in a backward-incompatible way.
 
Also, what's the timeline for shipping the cookie manager fix that would be able to deal with partitioned cookies properly?

I'm not sure what the current plan to ship the changes here is, but it may take some time due to the changes being more involved and a bigger compat risk than initially thought.
 

Vladimir Levin

no leída,
17 jul 2024, 14:03:1817/7/24
a Torne (Richard Coles),Dylan Cutler,blin...@chromium.org
Thank you for all of the context.

I agree that deleting the affected cookies seems to be the least risky behavior here. Is this plan to roll out via Finch and monitor for bad breakages?

Also, could you start the various reviews on the chromestatus entry?
chipsna.png

Thanks,
Vlad

Dylan Cutler

no leída,
17 jul 2024, 15:13:5217/7/24
a Vladimir Levin,Torne (Richard Coles),blin...@chromium.org
Hey Vlad,

I agree that deleting the affected cookies seems to be the least risky behavior here. Is this plan to roll out via Finch and monitor for bad breakages?
Unfortunately it is not possible to roll out network feature changes via Finch to WebView, since WebView may sometimes use the cookie store before the feature list has been fully initialized. We have implemented this change as a command line switch for the process running the network service.

Also, could you start the various reviews on the chromestatus entry?
Done!

Dylan

Vladimir Levin

no leída,
18 jul 2024, 9:50:0118/7/24
a Dylan Cutler,Torne (Richard Coles),blin...@chromium.org
On Wed, Jul 17, 2024 at 3:13 PM 'Dylan Cutler' via blink-dev <blin...@chromium.org> wrote:
Hey Vlad,

I agree that deleting the affected cookies seems to be the least risky behavior here. Is this plan to roll out via Finch and monitor for bad breakages?
Unfortunately it is not possible to roll out network feature changes via Finch to WebView, since WebView may sometimes use the cookie store before the feature list has been fully initialized. We have implemented this change as a command line switch for the process running the network service.

That makes sense. It does increase the risk of this removal, but I can't think of any other approach. As someone pointed out: "having no cookies is better than having corrupted cookies", and apps/sites should be able to deal gracefully with cookies being deleted.

LGTM1

Chris Harrelson

no leída,
18 jul 2024, 11:25:1718/7/24
a Vladimir Levin,Dylan Cutler,Torne (Richard Coles),blin...@chromium.org

Mike Taylor

no leída,
18 jul 2024, 13:43:5518/7/24
a Chris Harrelson,Vladimir Levin,Dylan Cutler,Torne (Richard Coles),blin...@chromium.org

Ben Wiser

no leída,
22 jul 2024, 14:23:4022/7/24
a Mike Taylor,Chris Harrelson,Vladimir Levin,Dylan Cutler,Torne (Richard Coles),blin...@chromium.org
Little late to the thread but I had a chat with Torne and we both agree from the WebView side that deleting the cookies is the preferred option for disabling the feature from our perspective.

The alternative of migrating partitioned cookies to 3PCs has these cons:
  • Also not gated via finch which introduces a bit of risk
  • Up levels data that was intended to be per website
As Vlad said, sites can deal with no cookies - and given that these use cases will be more slim, this option is preferable.

Ben Wiser

no leída,
29 ene 2025, 5:52:4629 ene
a Juan Leyva,blink-dev,Chris Harrelson,Vladimir Levin,Dylan Cutler,Torne (Richard Coles),Mike Taylor
Hey Juan,

Could you expand on what the impact to your mobile users is? We are currently doing some assessments around this feature and this information could help us.

All the best,
Ben

On Wed, Jan 29, 2025 at 8:25 AM Juan Leyva <ju...@moodle.com> wrote:
Hello everybody,

are there any updates on this? I've found this feature https://chromestatus.com/feature/5279664766713856 but it seems it has not been recently updated.

I'm asking because we stopped some ongoing work to fully support partitioned cookies in our platform (Moodle LMS) as it was having a severe impact on our mobile app users.

At this point, what we'd like to know if the current partitioned cookies implementation will be deprecated or not.

Regards, Juan

Juan Leyva

no leída,
29 ene 2025, 12:08:5029 ene
a Ben Wiser,blink-dev,Chris Harrelson,Vladimir Levin,Dylan Cutler,Torne (Richard Coles),Mike Taylor
Hi Ben,

A bit of background: I am a Product Manager working for Moodle, an e-learning platform used by millions of people. My team is developing the official mobile application, which is used by around 10 million people monthly.

Our mobile app is built using hybrid technologies (Ionic/Cordova frameworks)—essentially, an enhanced Android WebView with access to some native Android APIs.

Sometimes, we need to embed content from a remote Moodle site into the app via an iframe. We can use different endpoints for this. However, when we initially implemented support for partitioned cookies, we missed some endpoints/cases. As a result, we are now in a situation where the Moodle site does not always return session cookies as partitioned.

This means that while the app's WebView usually receives the session cookie as partitioned, there are specific cases where the app makes a request that returns a non-partitioned session cookie. When this happens, the WebView stores the unpartitioned cookie and sends it with all subsequent requests. However, those new requests expect partitioned cookies, causing the site to think the user is not authenticated because the cookies don't match. The only way to fix this issue is to remove the cookies from the WebView.

When we read about the deprecation, we stopped any further work on this area as we thought it was immediate. We'd like to know if there are still plans for the deprecation happening and if there is a timeline for it.

You can find more information here:
https://tracker.moodle.org/browse/MDL-81405
https://tracker.moodle.org/browse/MDL-80835
and
https://tracker.moodle.org/browse/MDL-82426

Regards, Juan

Juan Leyva

no leída,
29 ene 2025, 12:11:3429 ene
a blink-dev,Ben Wiser,Chris Harrelson,Vladimir Levin,Dylan Cutler,Torne (Richard Coles),blin...@chromium.org,Mike Taylor
Hello everybody,

are there any updates on this? I've found this feature https://chromestatus.com/feature/5279664766713856 but it seems it has not been recently updated.

I'm asking because we stopped some ongoing work to fully support partitioned cookies in our platform (Moodle LMS) as it was having a severe impact on our mobile app users.

At this point, what we'd like to know if the current partitioned cookies implementation will be deprecated or not.

Regards, Juan

On Monday, July 22, 2024 at 8:23:40 PM UTC+2 Ben Wiser wrote:

Rupert Wiser

no leída,
26 feb 2025, 10:53:0926 feb
a blink-dev,Juan Leyva,bew...@google.com,Chris Harrelson,Vladimir Levin,dylan...@google.com,Richard Coles,blin...@chromium.org,Mike Taylor
Hey all,

I wanted to follow up on this thread to let everyone know we've decided to leave CHIPS enabled in WebView from M130. We have since shipped an AndroidX API to let developers disable CHIPS for their apps if they run across any issues.

All the best,
Ben

Mike Taylor

no leída,
28 feb 2025, 15:05:4928 feb
a Rupert Wiser,blink-dev,Juan Leyva,bew...@google.com,Chris Harrelson,Vladimir Levin,dylan...@google.com,Richard Coles

Just for the history books: how long was CHIPS disabled in WebView? 127 to 130?

Rupert Wiser

no leída,
4 mar 2025, 5:09:574 mar
a blink-dev,Mike Taylor,Juan Leyva,bew...@google.com,Chris Harrelson,Vladimir Levin,dylan...@google.com,Richard Coles,Rupert Wiser
The disable was from M128 to M130.
Responder a todos
Responder al autor
Reenviar
0 mensajes nuevos