Hello all,
The approval for the Intent To Ship for Origin Isolation By Default / Deprecate document.domain asks for a separate intent for the actual default change. This is that separate intent.
A summary of what happened so far:
- Shipping Origin Isolation by Default (and thereby deprecating document.domain) has security benefits, but compatibility risk.
- We added warnings to the developer console and issues panel, published a blog post, and engaged in direct outreach. This has resulted in substantial, measurable reduction of usage. Some sites keep using document.domain, but have mitigated the deprecation with other means. This makes the risk difficult to measure.
- Sampling of sites with document.domain usage and manual inspection yields a potential breakage estimate at ~0.015% of page views.
What we're asking for here is:
- Enable the feature at 50% for beta (+ dev + canary) during M109, as a "last call" for web site authors.
- Launch on stable on M110. (~ Feb '23, so >12 weeks out from today)
------------------------
This is a follow-on to the Intent to Ship: Origin Isolation By Default / Deprecate document.domain. We'd like to ship this in M110, stable.
There are compatibility risks, which we have reduced with outreach and warnings, and we want to mitigate further by launching at 50% of beta first. An extended discussion of the risk (including attempts at quantitative assessment) can be found in the original intent to ship.
Gecko: Standards position request. ("Worth prototyping")
WebKit: https://lists.webkit.org/pipermail/webkit-dev/2021-December/032067.html (No signals.)
Web developers: No signals.
Activation - Deprecation plan
M110: Enable "Origin Agent Cluster by Default" on stable.
Hello all,
The approval for the Intent To Ship for Origin Isolation By Default / Deprecate document.domain asks for a separate intent for the actual default change. This is that separate intent.
A summary of what happened so far:
- Shipping Origin Isolation by Default (and thereby deprecating document.domain) has security benefits, but compatibility risk.
- We added warnings to the developer console and issues panel, published a blog post, and engaged in direct outreach. This has resulted in substantial, measurable reduction of usage. Some sites keep using document.domain, but have mitigated the deprecation with other means. This makes the risk difficult to measure.
- Sampling of sites with document.domain usage and manual inspection yields a potential breakage estimate at ~0.015% of page views.
What we're asking for here is:
- Enable the feature at 50% for beta (+ dev + canary) during M109, as a "last call" for web site authors.
This sounds like a good idea. Is there any reason we couldn't go to 50% in M108 as well (or are you trying to avoid breakage over the winter holidays)?
Another question: do we have enterprise policies available for
this change?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNEMgvrOehp5%2Bf48yQ62pY3xqXqATPNxWZ6aYQ%2BXeHHAg%40mail.gmail.com.
On 10/27/22 11:49 PM, 'Daniel Vogelheim' via blink-dev wrote:
Hello all,
The approval for the Intent To Ship for Origin Isolation By Default / Deprecate document.domain asks for a separate intent for the actual default change. This is that separate intent.
A summary of what happened so far:
- Shipping Origin Isolation by Default (and thereby deprecating document.domain) has security benefits, but compatibility risk.
- We added warnings to the developer console and issues panel, published a blog post, and engaged in direct outreach. This has resulted in substantial, measurable reduction of usage. Some sites keep using document.domain, but have mitigated the deprecation with other means. This makes the risk difficult to measure.
- Sampling of sites with document.domain usage and manual inspection yields a potential breakage estimate at ~0.015% of page views.
What we're asking for here is:
- Enable the feature at 50% for beta (+ dev + canary) during M109, as a "last call" for web site authors.
This sounds like a good idea. Is there any reason we couldn't go to 50% in M108 as well (or are you trying to avoid breakage over the winter holidays)?
Another question: do we have enterprise policies available for this change?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW0vt%2BzXxGf_f7YBF2Lq1K1y5F_VJMtK6whuSiQX9_t3g%40mail.gmail.com.
Activation - Deprecation plan
M109: Enable "Origin Agent Cluster by Default" for 50% of page loads on beta, dev, and canary.Activation - Deprecation plan
M109: Enable "Origin Agent Cluster by Default" for 50% of page loads on beta, dev, and canary.--- As a developer, do I need to set "Origin-Agent-Cluster: ?1" as a header for 50% of page visits or chromium enforcing for 50% of page visits from browser(Means 50% ( "Origin-Agent-Cluster: ?1") and another 50% ( "Origin-Agent-Cluster: ?0")?.
I have installed M109 beta and I have not set orginAgentCluster in my site and I can see in console "window.originAgentCluster" always return false for all sites/pages. Could you clarify on this?. How do I know whether Origin-Agent-Cluster enabled or not in M109?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPPFMpseckt22K5bd%2BRsctwWihiwCdSA9vvCTZw_tOtT5A%40mail.gmail.com.
Thanks for the update Daniel, and good luck on fixing the bug. :)
|
⭘ W. James MacLean ⭘ Software Engineer ⭘ Google Waterloo, Canada |
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0aa8ac1f-6b52-425f-8e25-f09f55c9e0fdn%40chromium.org.
⭘ W. James MacLean ⭘ Software Engineer ⭘ Google Waterloo, Canada |
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADAYvoc24scGp3XHZrC%3Dpg7zaUU5OeRLaM9NbS-hbvLRJ06XHQ%40mail.gmail.com.