Intent to Deprecate: WebAssembly cross-origin module sharing

[Lutz Vahl]

Contact emails

va...@chromium.org, ah...@chromium.org, gde...@chromium.org

Specification

https://github.com/WebAssembly/spec/issues/1303

In the long run this will help to isolate sites based on the origin instead of the site

https://github.com/WICG/origin-agent-cluster#how-it-works

https://github.com/mikewest/deprecating-document-domain

API spec

Yes

Summary

WebAssembly module sharing between cross-origin but same-site environments will be deprecated to allow agent clusters to be scoped to origins long term. This change will be performed via a WebAssembly spec change, which has an impact on the other embedders incl. Browser vendors as well. All of them have been involved in the discussions and no objections have been raised.

 

I’ve two asks (details below):

1. Can we add the depreciation warning in DevTools to M93 (now)

2. Can we deprecate the feature in M95.

Blink component

Blink>JavaScript>WebAssembly

Blink>SecurityFeature

TAG review

Overall document.domain discussion: https://github.com/w3ctag/design-reviews/issues/564

Risks

 

Interoperability and Compatibility

No interoperability risks.

Compatibility risk is small as Wasm is a new-er technology and the adoption is in general lower as for JS APIs. UseCounters show ~0.000151% of page visits making use of this feature, whereby 0.0139% of page visits share Wasm modules at all. We’ve detailed UKM metrics in place and are planning to reach out to top users as soon as we’ve LGTMs for the plan.

 

Gecko: Positive Browser vendor is part of the WebAssembly community group and engaged within the spec discussion. Ok with overall document.domain deprecation direction. Skeptical if they could pull it off in advance of the document.domain deprecating.

 

WebKit: Neutral (no objections raised) -  Browser vendor is part of the WebAssembly community group and engaged within the spec discussion

 

Web developers: Neutral - In case the same module can be used cross origin, it needs to be server 2x times. This has definitely an performance impact, but we’re confident that the security benefits are overweighting this issue.

 

 

Activation - Deprecation plan

  M93 - Add the devtools issue and warning

  M94 - Monitor usa counters and add an enterprise policy to extend the usage if needed

M95 - Deprecate the feature by default. No reverse origin trial is planned for now, but might be added in case it’s requested.

 

Security

This change should be security-positive, since Wasm modules can only be shared within the same origin any more.

Debuggability

A deprecation warning will be added to DevTools console and to the issues panel in M93, which will support current users to adopt. This warning will file a depreciation report as well using the Reporting API, if so configured.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Are in place to test the current functionality, and will be adjusted within the M95 timeframe.

Tracking bug

https://crbug.com/1171644

Launch bug

https://crbug.com/1224804

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5650158039597056

[Yoav Weiss]

I'd love to better understand what would actually happen here? If 2 origins on the same site currently share a WASM module, will they simply re-download the module in question? Or will they break unless they change their content? 

On Monday, July 5, 2021 at 9:12:41 AM UTC+2 Lutz Vahl wrote:

Contact emails

va...@chromium.org, ah...@chromium.org, gde...@chromium.org

Specification

https://github.com/WebAssembly/spec/issues/1303

In the long run this will help to isolate sites based on the origin instead of the site

https://github.com/WICG/origin-agent-cluster#how-it-works

https://github.com/mikewest/deprecating-document-domain

API spec

Yes

Summary

WebAssembly module sharing between cross-origin but same-site environments will be deprecated to allow agent clusters to be scoped to origins long term.

Is there an explainer you could point me to on how WASM module sharing currently works?

 

This change will be performed via a WebAssembly spec change, which has an impact on the other embedders incl. Browser vendors as well. All of them have been involved in the discussions and no objections have been raised.

 

I’ve two asks (details below):

1. Can we add the depreciation warning in DevTools to M93 (now)

2. Can we deprecate the feature in M95.

You mean remove in M95?

 

Blink component

Blink>JavaScript>WebAssembly

Blink>SecurityFeature

TAG review

Overall document.domain discussion: https://github.com/w3ctag/design-reviews/issues/564

Risks

 

Interoperability and Compatibility

No interoperability risks.

Are other vendors committed to follow?

 

Compatibility risk is small as Wasm is a new-er technology and the adoption is in general lower as for JS APIs. UseCounters show ~0.000151% of page visits making use of this feature, whereby 0.0139% of page visits share Wasm modules at all. We’ve detailed UKM metrics in place and are planning to reach out to top users as soon as we’ve LGTMs for the plan.

See my question above on what would happen in such sharing cases.

 

 

Gecko: Positive Browser vendor is part of the WebAssembly community group and engaged within the spec discussion. Ok with overall document.domain deprecation direction. Skeptical if they could pull it off in advance of the document.domain deprecating.

Any links to discussions?

 

 

WebKit: Neutral (no objections raised) -  Browser vendor is part of the WebAssembly community group and engaged within the spec discussion

Links to discussions? Have you requested a signal? (bit.ly/blink-signals)

[Lutz Vahl]

Hi Yoav, thanks for the input, CIL

On Thu, Jul 8, 2021 at 1:48 PM Yoav Weiss <yoav...@chromium.org> wrote:

I'd love to better understand what would actually happen here? If 2 origins on the same site currently share a WASM module, will they simply re-download the module in question? Or will they break unless they change their content? 

In that case they need to adjust/change their site to re-download the model. Because of this we'd like to raise the deprecation warning already in M93.

On Monday, July 5, 2021 at 9:12:41 AM UTC+2 Lutz Vahl wrote:

Contact emails

va...@chromium.org, ah...@chromium.org, gde...@chromium.org

Specification

https://github.com/WebAssembly/spec/issues/1303

In the long run this will help to isolate sites based on the origin instead of the site

https://github.com/WICG/origin-agent-cluster#how-it-works

https://github.com/mikewest/deprecating-document-domain

API spec

Yes

Summary

WebAssembly module sharing between cross-origin but same-site environments will be deprecated to allow agent clusters to be scoped to origins long term.

Is there an explainer you could point me to on how WASM module sharing currently works?

 

This change will be performed via a WebAssembly spec change, which has an impact on the other embedders incl. Browser vendors as well. All of them have been involved in the discussions and no objections have been raised.

 

I’ve two asks (details below):

1. Can we add the depreciation warning in DevTools to M93 (now)

2. Can we deprecate the feature in M95.

You mean remove in M95? 

That's correct. But I'm primarily interested in adding the deprecation warning in M93 for now.

 

Blink component

Blink>JavaScript>WebAssembly

Blink>SecurityFeature

TAG review

Overall document.domain discussion: https://github.com/w3ctag/design-reviews/issues/564

Risks

 

Interoperability and Compatibility

No interoperability risks.

Are other vendors committed to follow?

No objections have been raised so far, we're working to define the details on the spec side. Besides chromium another engine needs to agree to ship before the spec will be adjusted.

 

Compatibility risk is small as Wasm is a new-er technology and the adoption is in general lower as for JS APIs. UseCounters show ~0.000151% of page visits making use of this feature, whereby 0.0139% of page visits share Wasm modules at all. We’ve detailed UKM metrics in place and are planning to reach out to top users as soon as we’ve LGTMs for the plan.

See my question above on what would happen in such sharing cases.

Sites need to adjust based on this change. Therefore we'd like to give them already a heads-up in M93 by raising a deprecation warning in devtools. 

 

 

 

Gecko: Positive Browser vendor is part of the WebAssembly community group and engaged within the spec discussion. Ok with overall document.domain deprecation direction. Skeptical if they could pull it off in advance of the document.domain deprecating.

Any links to discussions?

Notes of the Wasm meeting can be found online: https://github.com/WebAssembly/meetings/blob/main/main/2021/CG-06-22.md. Unfortunately they haven't been published yet for this CQ meeting, I'll follow up!

 

 

WebKit: Neutral (no objections raised) -  Browser vendor is part of the WebAssembly community group and engaged within the spec discussion

Links to discussions? Have you requested a signal? (bit.ly/blink-signals)

For now, I've the current ongoing spec discussion including other browser/engine vendors: https://github.com/WebAssembly/spec/issues/1303

Based on this a spec PR is in the making. I'll add the link to this thread asap.

 

Web developers: Neutral - In case the same module can be used cross origin, it needs to be server 2x times. This has definitely an performance impact, but we’re confident that the security benefits are overweighting this issue.

 

 

Activation - Deprecation plan

  M93 - Add the devtools issue and warning

  M94 - Monitor usa counters and add an enterprise policy to extend the usage if needed

M95 - Deprecate the feature by default. No reverse origin trial is planned for now, but might be added in case it’s requested.

 

Security

This change should be security-positive, since Wasm modules can only be shared within the same origin any more.

Debuggability

A deprecation warning will be added to DevTools console and to the issues panel in M93, which will support current users to adopt. This warning will file a depreciation report as well using the Reporting API, if so configured.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Are in place to test the current functionality, and will be adjusted within the M95 timeframe.

Tracking bug

https://crbug.com/1171644

Launch bug

https://crbug.com/1224804

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5650158039597056

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/66960e21-da5a-4b49-881d-82f5001f5d23n%40chromium.org.

[Žanetta Berķe]

SmS 

пн, 12 июл. 2021 г., 9:49 Lutz Vahl <va...@chromium.org>:

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBP3%2BbRTN3dpk71BFQdC%3Dmtmb6jA3RUtW%3Dq83CKRG0n%2BmQ%40mail.gmail.com.

[Lutz Vahl]

Adding even more context

On Mon, Jul 12, 2021 at 8:48 AM Lutz Vahl <va...@chromium.org> wrote:

Hi Yoav, thanks for the input, CIL

On Thu, Jul 8, 2021 at 1:48 PM Yoav Weiss <yoav...@chromium.org> wrote:

I'd love to better understand what would actually happen here? If 2 origins on the same site currently share a WASM module, will they simply re-download the module in question? Or will they break unless they change their content? 

In that case they need to adjust/change their site to re-download the model. Because of this we'd like to raise the deprecation warning already in M93.

https://www.w3.org/TR/wasm-web-api-1/#serialization describes how the sharing currently works. We'll adjust "Set serialized.[[AgentCluster]] to the current Realm's corresponding agent cluster." to "Set serialized.[[Origin]] to be the serialization of the user agent's origin"

The notes are now online! 

[Daniel Bratell]

LGTM1 to deprecate based on the 0.000724% usage number (higher than when you filed the intent but still low enough that I don't think the deprecation will add noise, and low enough that it's very possible to later successfully execute this change).

/Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBNP2LfQofXarqM5SGmXXH-UD_Q74xV%3Diy%2Bt3jQQqCARBw%40mail.gmail.com.

[Manuel Rego Casasnovas]

LGTM2.

I see even a smaller number at
https://chromestatus.com/metrics/feature/timeline/popularity/3802: 0.000445%

There are only 3 websites listed on that page, we might want to
proactively notify them about this change, in addition to the
deprecation warning.

Cheers,
Rego

>> va...@chromium.org <mailto:va...@chromium.org>,
>> ah...@chromium.org <mailto:ah...@chromium.org>,
>> gde...@chromium.org <mailto:gde...@chromium.org>
>>
>>
>> Specification
>>
>> https://github.com/WebAssembly/spec/issues/1303

>> <https://github.com/WebAssembly/spec/issues/1303>
>>
>> In the long run this will help to isolate sites based on
>> the origin instead of the site
>>
>> https://github.com/WICG/origin-agent-cluster#how-it-works

>> <https://github.com/WICG/origin-agent-cluster#how-it-works>
>>
>> https://github.com/mikewest/deprecating-document-domain

>> <https://github.com/mikewest/deprecating-document-domain>
>>
>>
>> API spec
>>
>> Yes
>>
>>
>> Summary
>>
>> WebAssembly module sharing between cross-origin but
>> same-site environments will be deprecated to allow agent
>> clusters to be scoped to origins long term.
>>
>>
>> Is there an explainer you could point me to on how WASM module
>> sharing currently works?
>>  
>>
>> This change will be performed via a WebAssembly spec
>> change, which has an impact on the other embedders incl.
>> Browser vendors as well. All of them have been involved in
>> the discussions and no objections have been raised.
>>
>>  
>>
>> I’ve two asks (details below):
>>

>> 1.

>>
>> Can we add the depreciation warning in DevTools to M93
>> (now)
>>

>> 2.

>>
>> Can we deprecate the feature in M95.
>>
>>
>> You mean remove in M95? 
>>
>> That's correct. But I'm primarily interested in adding the
>> deprecation warning in M93 for now.
>>
>>  
>>
>>
>>
>> Blink component
>>
>> Blink>JavaScript>WebAssembly
>>
>> Blink>SecurityFeature
>>
>>
>> TAG review
>>
>> Overall document.domain discussion:
>> https://github.com/w3ctag/design-reviews/issues/564
>> <https://github.com/w3ctag/design-reviews/issues/564>
>>
>>
>> Risks
>>
>>  
>>
>>
>> Interoperability and Compatibility
>>
>> No interoperability risks.
>>
>>
>> Are other vendors committed to follow?
>>
>> No objections have been raised so far, we're working to define the
>> details on the spec side. Besides chromium another engine needs to
>> agree to ship before the spec will be adjusted.
>>
>>  
>>
>>
>> Compatibility risk is small as Wasm is a new-er technology
>> and the adoption is in general lower as for JS APIs.
>> UseCounters show ~0.000151%

>> <https://chromestatus.com/metrics/feature/popularity#CrossOriginWasmModuleSharing>of

>> page visits making use of this feature, whereby 0.0139%

>> <https://chromestatus.com/metrics/feature/popularity#WasmModuleSharing>of

>> page visits share Wasm modules at all. We’ve detailed UKM
>> metrics in place and are planning to reach out to top
>> users as soon as we’ve LGTMs for the plan.
>>
>>
>> See my question above on what would happen in such sharing cases.
>>
>> Sites need to adjust based on this change. Therefore we'd like to
>> give them already a heads-up in M93 by raising a deprecation
>> warning in devtools. 
>>  
>>
>>  
>>
>>  
>>
>> Gecko: Positive Browser vendor is part of the WebAssembly
>> community group and engaged within the spec discussion. Ok
>> with overall document.domain deprecation direction.
>> Skeptical if they could pull it off in advance of the
>> document.domain deprecating.
>>
>>
>> Any links to discussions?
>>
>> Notes of the Wasm meeting can be found
>> online: https://github.com/WebAssembly/meetings/blob/main/main/2021/CG-06-22.md

>> <https://github.com/WebAssembly/meetings/blob/main/main/2021/CG-06-22.md>.

>> Unfortunately they haven't been published yet for this CQ meeting,
>> I'll follow up!
>>
>> The notes are now online! 
>>
>>  
>>
>>  
>>
>> WebKit: Neutral (no objections raised) -  Browser vendor
>> is part of the WebAssembly community group and engaged
>> within the spec discussion
>>
>>
>> Links to discussions? Have you requested a signal?

>> (bit.ly/blink-signals <https://bit.ly/blink-signals>)

>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?

>>
>> Are in place to test the current

>> <https://github.com/web-platform-tests/wpt/blob/master/wasm/serialization/module/window-similar-but-cross-origin-success.sub.html>functionality,

>> and will be adjusted within the M95 timeframe.
>>
>>
>> Tracking bug
>>

>> https://crbug.com/1171644 <https://crbug.com/1171644>
>>
>>
>> Launch bug
>>
>> https://crbug.com/1224804 <https://crbug.com/1224804>

>>
>>
>> Link to entry on the Chrome Platform Status
>>
>> https://chromestatus.com/feature/5650158039597056
>> <https://chromestatus.com/feature/5650158039597056>
>>
>> --
>> You received this message because you are subscribed to the
>> Google Groups "blink-dev" group.
>> To unsubscribe from this group and stop receiving emails from
>> it, send an email to blink-dev+...@chromium.org

>> <mailto:blink-dev+...@chromium.org>.

>> To view this discussion on the web visit
>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/66960e21-da5a-4b49-881d-82f5001f5d23n%40chromium.org

>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/66960e21-da5a-4b49-881d-82f5001f5d23n%40chromium.org?utm_medium=email&utm_source=footer>.

>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "blink-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to blink-dev+...@chromium.org

>> <mailto:blink-dev+...@chromium.org>.

>> To view this discussion on the web visit

>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBNP2LfQofXarqM5SGmXXH-UD_Q74xV%3Diy%2Bt3jQQqCARBw%40mail.gmail.com
>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBNP2LfQofXarqM5SGmXXH-UD_Q74xV%3Diy%2Bt3jQQqCARBw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to blink-dev+...@chromium.org

> <mailto:blink-dev+...@chromium.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d89c4812-358d-9e52-c3f4-9599f6a181b5%40gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d89c4812-358d-9e52-c3f4-9599f6a181b5%40gmail.com?utm_medium=email&utm_source=footer>.

[Chris Harrelson]

LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6eb5c2cd-153a-98b2-1b72-3b2020b7d0a4%40igalia.com.

[Lutz Vahl]

Thanks all LGTM'ing the deprecation plan. 

I've adjusted the deprecation plan to reach out to the top users based on our metrics in addition to the DevTools deprecation warning.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-uszeA%3DYwoXwz6aumkM-%3DM089ndJ8JYmF9aVpWqtj96Q%40mail.gmail.com.

[Anne van Kesteren]

On Mon, Jul 5, 2021 at 9:12 AM Lutz Vahl <va...@chromium.org> wrote:
> https://github.com/WebAssembly/spec/issues/1303

>
> Summary
>
> WebAssembly module sharing between cross-origin but same-site environments will be deprecated to allow agent clusters to be scoped to origins long term. This change will be performed via a WebAssembly spec change, which has an impact on the other embedders incl. Browser vendors as well. All of them have been involved in the discussions and no objections have been raised.

Well, I did raise a question in that issue about a potential design
alternative that went unanswered. It's a bit more robust I think, but
maybe it doesn't matter much given the usage numbers.

[Lutz Vahl]

Hi all,

based on the use counters we do see that ~95% of the usage is coming from two origins.
We'll reach out to those ones individually right away.

In case they have any issues to adopt, we can add a reverse origin trial to extend the usage. In case they are able to adopt in time, we don't see the need for a reverse origin trial. WDYT?

Cheers,
 Lutz

[Yoav Weiss]

That plan SGTM

You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/nhmP8A61xk8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBPEe2KPayQ03wjDqYZDQeVb7hh3aXvd5nymrOsK0yr5SA%40mail.gmail.com.