Intent to Deprecate and Remove: WebSQL in non-secure contexts

157 views
Skip to first unread message

Ayu Ishii

unread,
May 26, 2022, 8:18:38 PMMay 26
to blink-dev, Joshua Bell, Ajay Rahatekar
Contact emails
ay...@chromium.org, jsb...@chromium.org, ajayra...@google.com  

Specification
https://www.w3.org/TR/webdatabase/

Summary
We intend to deprecate and remove usage of WebSQL in non-secure contexts. Deprecation is targeted for M105 and removal is targeted for M107.

Blink component
Blink>Storage>WebSQL

Motivation
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

WebSQL has been deprecated and removed for third-party contexts in M97.

We hope to entirely deprecate and remove WebSQL at some future point when usage is low enough.


TAG review
N/A

Risks
Based on usage measurements rolled out in M97, 0.005% of page loads use WebSQL in a non-secure context.  Less than 0.01% of top sites have adopted this feature.

Out of the 20 top sites listed for the month of April 2022, 11 of the sites use a feature detection library Modernizr 1.5, on a version released in 2010. This would create a test database to check feature availability. I was unable to reproduce the creation of other WebSQL databases outside of the one created by Modernizr on these sites. 4 sites that seem to use an outdated private mode detection script which was intended for older versions of iOS. All the scripts I have found checked if window.openDatabase existed before usage, likely due to the lack of support in Gecko and WebKit. 


Interoperability and Compatibility

Gecko: Never implemented

WebKit: Deprecation shipped in iOS 13 and Safari 13  

Web developers: No signals


Debuggability
N/A

Is this feature fully tested by web-platform-tests?
Not fully, one test checks the availability of the feature.

Tracking bug
https://crbug.com/1212492

Link to related intents
Intent to Deprecate and Remove: WebSQL in third-party contexts

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5175124599767040


Mike West

unread,
May 31, 2022, 1:57:01 AMMay 31
to Ayu Ishii, blink-dev, Joshua Bell, Ajay Rahatekar
I'm happy to see this moving forward, thanks for pushing it ahead!

That said, this seems like the kind of thing that's likely-enough to impact enterprise that we should include a temporary opt-out to give ourselves some wiggle room if it turns out that we're undercounting usage. Have y'all already put something like that together?

-mike


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bc5f407d-e6fe-4743-ae46-84541d271a92n%40chromium.org.

Ayu Ishii

unread,
May 31, 2022, 11:26:11 PMMay 31
to blink-dev, Mike West, blink-dev, Joshua Bell, Ajay Rahatekar, Ayu Ishii
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

- Ayu

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Chris Harrelson

unread,
Jun 1, 2022, 1:34:47 PMJun 1
to Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar
On Tue, May 31, 2022 at 8:26 PM Ayu Ishii <ay...@chromium.org> wrote:
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

I think this plan sounds good. LGTM1 once you have an enterprise opt-out in place that will remain for 3 milestones. Also please make sure to communicate this change in the enterprise notes and other communication channels.
 

- Ayu

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/aa706101-184b-4a25-a446-6643a96e062fn%40chromium.org.

Mike Taylor

unread,
Jun 1, 2022, 2:58:42 PMJun 1
to Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar
On 6/1/22 1:34 PM, Chris Harrelson wrote:

On Tue, May 31, 2022 at 8:26 PM Ayu Ishii <ay...@chromium.org> wrote:
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

I think this plan sounds good. LGTM1 once you have an enterprise opt-out in place that will remain for 3 milestones. Also please make sure to communicate this change in the enterprise notes and other communication channels.

A couple of notes I took last Friday and forgot to post:

I dumped the list of sites from HTTPArchive (query below) and after de-duping them, ended up with 835 sites.

I then ran a script which naively looks at response codes, and got the following results:

2XX count: 685/835
3XX to HTTP endpoint count: 74/835
4XX count: 3/835
5XX count: 2/835

So, from this dataset, roughly 9% of those redirect to an HTTP endpoint.

That said, I think reducing risk of breakage for enterprise environments is a useful and friendly thing to do. LGTM2 w/ that done.

SELECT
  rank,
  url,
FROM
  `httparchive.blink_features.features`
WHERE feature = 'OpenWebDatabaseInsecureContext'
ORDER BY rank ASC

Yoav Weiss

unread,
Jun 1, 2022, 3:52:49 PMJun 1
to Mike Taylor, Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar

Mike Taylor

unread,
Jun 1, 2022, 4:12:55 PMJun 1
to Yoav Weiss, Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar
On 6/1/22 3:52 PM, Yoav Weiss wrote:
LGTM3

On Wed, Jun 1, 2022 at 8:58 PM Mike Taylor <mike...@chromium.org> wrote:
On 6/1/22 1:34 PM, Chris Harrelson wrote:

On Tue, May 31, 2022 at 8:26 PM Ayu Ishii <ay...@chromium.org> wrote:
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

I think this plan sounds good. LGTM1 once you have an enterprise opt-out in place that will remain for 3 milestones. Also please make sure to communicate this change in the enterprise notes and other communication channels.

A couple of notes I took last Friday and forgot to post:

I dumped the list of sites from HTTPArchive (query below) and after de-duping them, ended up with 835 sites.

I then ran a script which naively looks at response codes, and got the following results:

2XX count: 685/835
3XX to HTTP endpoint count: 74/835
4XX count: 3/835
5XX count: 2/835

So, from this dataset, roughly 9% of those redirect to an HTTP endpoint.

This should say HTTPS, not HTTP. I am bad at typing.

Ayu Ishii

unread,
Jun 1, 2022, 10:49:00 PMJun 1
to blink-dev, Mike Taylor, Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar, Yoav Weiss
Thank you all for the approvals!
And thank you miketaylr@ for the HTTPArchive analysis!

 

- Ayu

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Reply all
Reply to author
Forward
0 new messages