Intent to Deprecate and Remove: WebSQL in non-secure contexts

1 042 просмотра
Перейти к первому непрочитанному сообщению

Ayu Ishii

не прочитано,
26 мая 2022 г., 20:18:3826.05.2022
– blink-dev, Joshua Bell, Ajay Rahatekar
Contact emails
ay...@chromium.org, jsb...@chromium.org, ajayra...@google.com  

Specification
https://www.w3.org/TR/webdatabase/

Summary
We intend to deprecate and remove usage of WebSQL in non-secure contexts. Deprecation is targeted for M105 and removal is targeted for M107.

Blink component
Blink>Storage>WebSQL

Motivation
The Web SQL Database standard was first proposed in April 2009 and abandoned in November 2010. Gecko never implemented this feature and WebKit deprecated this feature in 2019. The W3C encouraged those needing web databases to adopt Web Storage or Indexed Database.

WebSQL has been deprecated and removed for third-party contexts in M97.

We hope to entirely deprecate and remove WebSQL at some future point when usage is low enough.


TAG review
N/A

Risks
Based on usage measurements rolled out in M97, 0.005% of page loads use WebSQL in a non-secure context.  Less than 0.01% of top sites have adopted this feature.

Out of the 20 top sites listed for the month of April 2022, 11 of the sites use a feature detection library Modernizr 1.5, on a version released in 2010. This would create a test database to check feature availability. I was unable to reproduce the creation of other WebSQL databases outside of the one created by Modernizr on these sites. 4 sites that seem to use an outdated private mode detection script which was intended for older versions of iOS. All the scripts I have found checked if window.openDatabase existed before usage, likely due to the lack of support in Gecko and WebKit. 


Interoperability and Compatibility

Gecko: Never implemented

WebKit: Deprecation shipped in iOS 13 and Safari 13  

Web developers: No signals


Debuggability
N/A

Is this feature fully tested by web-platform-tests?
Not fully, one test checks the availability of the feature.

Tracking bug
https://crbug.com/1212492

Link to related intents
Intent to Deprecate and Remove: WebSQL in third-party contexts

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5175124599767040


Mike West

не прочитано,
31 мая 2022 г., 01:57:0131.05.2022
– Ayu Ishii, blink-dev, Joshua Bell, Ajay Rahatekar
I'm happy to see this moving forward, thanks for pushing it ahead!

That said, this seems like the kind of thing that's likely-enough to impact enterprise that we should include a temporary opt-out to give ourselves some wiggle room if it turns out that we're undercounting usage. Have y'all already put something like that together?

-mike


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bc5f407d-e6fe-4743-ae46-84541d271a92n%40chromium.org.

Ayu Ishii

не прочитано,
31 мая 2022 г., 23:26:1131.05.2022
– blink-dev, Mike West, blink-dev, Joshua Bell, Ajay Rahatekar, Ayu Ishii
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

- Ayu

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Chris Harrelson

не прочитано,
1 июн. 2022 г., 13:34:4701.06.2022
– Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar
On Tue, May 31, 2022 at 8:26 PM Ayu Ishii <ay...@chromium.org> wrote:
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

I think this plan sounds good. LGTM1 once you have an enterprise opt-out in place that will remain for 3 milestones. Also please make sure to communicate this change in the enterprise notes and other communication channels.
 

- Ayu

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/aa706101-184b-4a25-a446-6643a96e062fn%40chromium.org.

Mike Taylor

не прочитано,
1 июн. 2022 г., 14:58:4201.06.2022
– Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar
On 6/1/22 1:34 PM, Chris Harrelson wrote:

On Tue, May 31, 2022 at 8:26 PM Ayu Ishii <ay...@chromium.org> wrote:
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

I think this plan sounds good. LGTM1 once you have an enterprise opt-out in place that will remain for 3 milestones. Also please make sure to communicate this change in the enterprise notes and other communication channels.

A couple of notes I took last Friday and forgot to post:

I dumped the list of sites from HTTPArchive (query below) and after de-duping them, ended up with 835 sites.

I then ran a script which naively looks at response codes, and got the following results:

2XX count: 685/835
3XX to HTTP endpoint count: 74/835
4XX count: 3/835
5XX count: 2/835

So, from this dataset, roughly 9% of those redirect to an HTTP endpoint.

That said, I think reducing risk of breakage for enterprise environments is a useful and friendly thing to do. LGTM2 w/ that done.

SELECT
  rank,
  url,
FROM
  `httparchive.blink_features.features`
WHERE feature = 'OpenWebDatabaseInsecureContext'
ORDER BY rank ASC

Yoav Weiss

не прочитано,
1 июн. 2022 г., 15:52:4901.06.2022
– Mike Taylor, Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar

Mike Taylor

не прочитано,
1 июн. 2022 г., 16:12:5501.06.2022
– Yoav Weiss, Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar
On 6/1/22 3:52 PM, Yoav Weiss wrote:
LGTM3

On Wed, Jun 1, 2022 at 8:58 PM Mike Taylor <mike...@chromium.org> wrote:
On 6/1/22 1:34 PM, Chris Harrelson wrote:

On Tue, May 31, 2022 at 8:26 PM Ayu Ishii <ay...@chromium.org> wrote:
Hi Mike!

With the current usage measurements we see, we hadn't considered any enterprise policy for opt-out.
But certainly can follow the process to do so if you feel that there may be risk of undercounting.
Deprecation of WebSQL in third-party contexts added a policy that lasted 3 milestones after deprecation before full removal as an example.
Although the usages were quite different from that deprecation, we can follow the same process if this sounds reasonable.

I think this plan sounds good. LGTM1 once you have an enterprise opt-out in place that will remain for 3 milestones. Also please make sure to communicate this change in the enterprise notes and other communication channels.

A couple of notes I took last Friday and forgot to post:

I dumped the list of sites from HTTPArchive (query below) and after de-duping them, ended up with 835 sites.

I then ran a script which naively looks at response codes, and got the following results:

2XX count: 685/835
3XX to HTTP endpoint count: 74/835
4XX count: 3/835
5XX count: 2/835

So, from this dataset, roughly 9% of those redirect to an HTTP endpoint.

This should say HTTPS, not HTTP. I am bad at typing.

Ayu Ishii

не прочитано,
1 июн. 2022 г., 22:49:0001.06.2022
– blink-dev, Mike Taylor, Chris Harrelson, Ayu Ishii, blink-dev, Mike West, Joshua Bell, Ajay Rahatekar, Yoav Weiss
Thank you all for the approvals!
And thank you miketaylr@ for the HTTPArchive analysis!

 

- Ayu

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Ayu Ishii

не прочитано,
11 нояб. 2022 г., 19:26:0311.11.2022
– blink-dev, Ayu Ishii, Mike Taylor, Chris Harrelson, blink-dev, Mike West, Joshua Bell, ajayra...@google.com, Yoav Weiss
We've done some extra communications with enterprise partners and have come up with a new target milestone.
The new target milestone for this removal is M110, with enterprise policy available for 2 milestones (M110-111).

Thanks!
Ayu

Thomas Steiner

не прочитано,
14 нояб. 2022 г., 11:51:5714.11.2022
– Ayu Ishii, blink-dev, Mike Taylor, Chris Harrelson, Mike West, Joshua Bell, ajayra...@google.com, Yoav Weiss
The developer-facing documentation is being updated in https://github.com/GoogleChrome/developer.chrome.com/pull/4299.

 

- Ayu

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/049f32e7-9d79-4cfc-8f91-5f7c9649bd3bn%40chromium.org.


--
Thomas Steiner, PhD—Developer Relations Engineer (https://blog.tomayac.comhttps://twitter.com/tomayac)

Google Germany GmbH, ABC-Str. 19, 20354 Hamburg, Germany
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891

----- BEGIN PGP SIGNATURE -----
Version: GnuPG v2.3.4 (GNU/Linux)

iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck0fjumBl3DCharaCTersAttH3b0ttom.hTtPs://xKcd.cOm/1181/
----- END PGP SIGNATURE -----

Ben Morss

не прочитано,
16 нояб. 2022 г., 13:22:3416.11.2022
– Thomas Steiner, Ayu Ishii, blink-dev, Mike Taylor, Chris Harrelson, Mike West, Joshua Bell, ajayra...@google.com, Yoav Weiss
I've done a more thorough search for examples of webkitStorageInfo and of WebSQL in insecure contexts on the web. Among the top 10K sites, the only usage I found was from standard libraries - and, in these cases, removal wouldn't cause an error or affect any functionality.

No one in Enterprise at Google, Microsoft, or Salesforce has uncovered usage among their partners either.


Ben Morss

не прочитано,
8 дек. 2022 г., 19:28:5808.12.2022
– Carl Turechek, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com
Yes. Carl, does your app depend on Web SQL, webkitStorageInfo, or something else?

On Thu, Dec 8, 2022 at 6:55 PM Carl Turechek <carltu...@gmail.com> wrote:
You'll break an app I developed to be passed around as a single html file. Hope you'll provide us plebs some guidance on finding a replacement solution.

Chris Thompson

не прочитано,
8 дек. 2022 г., 19:50:2308.12.2022
– Ben Morss, Carl Turechek, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com
I'll note that file:// URLs are considered secure contexts, which may be relevant for single-html-file apps -- see https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure

Carl Turechek

не прочитано,
9 дек. 2022 г., 11:39:3509.12.2022
– blink-dev, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, Carl Turechek
Hi,
Thanks for taking it into account. In a nutshell, my app is a C.R.U.D. that exports all of the data as json into a new html file along with everything else required to search through the information. It is a catalogue resonee where it could be downloaded and searched by anyone using a chrome browser. So you could search for a timeframe or keyword... and see a list and view images etc.. Also, privacy is an aspect.

It sounds like web assembly would not make this possible without fetching stuff or including more files. Maybe websql could be optional or something.. Anyway, thanks for the question! Have a good one :)

Carl Turechek

не прочитано,
9 дек. 2022 г., 11:39:4309.12.2022
– blink-dev, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, Carl Turechek
I don't think that the increased security will have an effect on my app, but the removal all together is my concern. Sorry if I haven't been clear enough.

On Thursday, December 8, 2022 at 7:28:58 PM UTC-5 mo...@google.com wrote:

Carl Turechek

не прочитано,
9 дек. 2022 г., 11:40:1209.12.2022
– blink-dev, mo...@google.com, ay...@chromium.org, blink-dev, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com
You'll break an app I developed to be passed around as a single html file. Hope you'll provide us plebs some guidance on finding a replacement solution.

On Wednesday, November 16, 2022 at 1:22:34 PM UTC-5 mo...@google.com wrote:

Carl Turechek

не прочитано,
9 дек. 2022 г., 11:40:2809.12.2022
– blink-dev, ay...@chromium.org, Joshua Bell, ajayra...@google.com
I'd rather websql wasn't removed. I use it for a few non-web applications making it possible to have a one click app with a database without too much hassle. Having to roll your own with web assembly sounds like it wouldn't be worth the trouble.

PhistucK

не прочитано,
10 дек. 2022 г., 07:29:5910.12.2022
– Carl Turechek, blink-dev, ay...@chromium.org, Joshua Bell, ajayra...@google.com
Note that file:// storage is quite fragile, I believe it is keyed by either the file path or the folder path, so moving the downloaded file will effectively replace/clear the storage...

PhistucK


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Ben Morss

не прочитано,
13 дек. 2022 г., 14:59:3913.12.2022
– Carl Turechek, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com
Hi Carl,

I'm sorry we can't keep Web SQL going any further in its present form. As you know, it's been deprecated for years and only Chromium still supports it. It sees little use; almost any site that wants sophisticated storage wants it to work on all browsers, and so people build things on top of indexedDB. Despite the relatively small usage, it takes us time to keep up with updates, and security problems demand our attention rather frequently. We don't have enough engineers to merit keeping it going.

On the other hand, we're quite excited about the new SQLite-over-Wasm, and some developers of other databases have told us they're interested in following this example. After years in which browser vendors tried to create sophisticated storage solutions, often without success, the possibility that databases that are available on other platforms might become available on the web, created and supported by the developer community, is quite exciting.

Sorry that doesn't help with your HTML-file application :-/ If you're curious, it is possible to embed Wasm in an HTML page:
Of course, this isn't as simple or as small as simply using Web SQL, but it miiiiiight work?

All best,

Ben

Michal Šimonfy

не прочитано,
14 дек. 2022 г., 10:44:5414.12.2022
– blink-dev, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, carltu...@gmail.com
Hello there! 

will WebSQL continue to be available in Chrome extensions (through the chrome-extension:// scheme)?

Thank you!

All the best, 
Michal

Ben Morss

не прочитано,
14 дек. 2022 г., 11:36:3114.12.2022
– Michal Šimonfy, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, carltu...@gmail.com
Our plan is to remove support entirely.

It's good to hear from developers who have been using Web SQL - since the vast majority of uses we've found on the web emanate from standard libraries using it for browser sniffing or as a backup for basic key-value storage. If you're using it, and migration to SQLite-over-Wasm looks hard for you, I'd like to hear more about your use case. It's always difficult when a feature you rely on gets removed - but we want to make this as easy on everyone as possible.

Michal Šimonfy

не прочитано,
14 дек. 2022 г., 17:44:4014.12.2022
– blink-dev, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, carltu...@gmail.com, Michal Šimonfy
Hi Ben, thank you for your answer!

I figured that the plan is to phase out support entirely, I was just wondering whether deprecating and removing WebSQL "in non-secure contexts" is going to affect chrome extensions (I assume it is not). Is there a specific timeline for removing WebSQL from the extensions and "secure contexts"?

I'm using WebSQL for a legacy reasons, I created my extension when WebSQL was a new thing in Chrome and I liked the fact that I was able to use a relational database. I was hesitant to stop using it because it was working well for my use case and seemed to be reliable for all these years. I'll have to explore all the available options and SQLite-over-Wasm looks great, although I might just try to migrate to chrome.storage or IndexedDB.

Best,
Michal

Ben Morss

не прочитано,
15 дек. 2022 г., 19:02:5315.12.2022
– Michal Šimonfy, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, carltu...@gmail.com
HI Michal,

We don't yet have a date for removing WebSQL everywhere. We need to finish looking for more examples of current nontrivial usage. The best I can say is, in 2023, but not super early in 2023. You'll have plenty of notice!

Ben

Thomas Steiner

не прочитано,
31 янв. 2023 г., 03:38:3531.01.2023
– Carl Turechek, blink-dev, mo...@google.com, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, michal....@gmail.com
Hi all,

I realize we haven't announced the general availability of our Web SQL replacement on this list yet (apologies). It's an official port of SQLite to WebAssembly (Wasm) by the SQLite team, which is backed by the Origin Private File System (OPFS) for maximum performance. You can read all details, including a code sample and demo, in our blog post: https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/.

Cheers,
Tom 

Carl Turechek

не прочитано,
31 янв. 2023 г., 11:03:2431.01.2023
– blink-dev, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, Carl Turechek, michal....@gmail.com
Referring to this example  https://developer.chrome.com/blog/deprecating-web-sql/   , promises might resolve the callback madness there. Do you really need actual transactions if it is in the browser though? Thanks again for the responses!  Peace

Carl Turechek

не прочитано,
31 янв. 2023 г., 11:04:1331.01.2023
– blink-dev, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, Carl Turechek
I'll probably just scrap it and ajax everything to that dusty old mysql thing. But I do appreciate the links! 

Carl Turechek

не прочитано,
31 янв. 2023 г., 11:04:2331.01.2023
– blink-dev, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, Carl Turechek, michal....@gmail.com
Are you sure that callback hell can't be avoided using js promises? If that is a major reason then hopefully you're right. I think it should remain in the desktop browsers at least, or as an option still. Thanks for the heads up on turning off updates lol
On Thursday, December 15, 2022 at 7:02:53 PM UTC-5 mo...@google.com wrote:

Carl Turechek

не прочитано,
31 янв. 2023 г., 16:13:3231.01.2023
– blink-dev, Carl Turechek, mo...@google.com, blink-dev, ay...@chromium.org, mike...@chromium.org, Chris Harrelson, mk...@chromium.org, Joshua Bell, ajayra...@google.com, yoav...@chromium.org, tste...@google.com, michal....@gmail.com
Going to all that trouble for a "replacement" that's not any better .. ok. Good luck finding anyone who'd actually use it.

Randy Lauen

не прочитано,
31 янв. 2023 г., 17:36:4731.01.2023