Reusing this thread would be totally fine. On Wed, May 11, 2022, 11:29 AM Lutz Vahl <v...@chromium.org> wrote:
> Great, thanks Chris. > I'll report back in the next months. Shall I use this thread to do so or > kick off a new one - any preferences? > > On Tue, May 10, 2022 at 11:09 PM Chris Harrelson <chris...@chromium.org> > wrote: > >> LGTM to experiment for 3 additional milestones. I think this counts for >> sure as substantial progress. >> >> Thank you for all the useful information and your dedication to doing >> right by the web and partner developers! >> >> >> On Fri, May 6, 2022 at 5:58 AM 'Arthur Hemery' via blink-dev < >> blink-dev@chromium.org> wrote: >> >>> Hi everyone I just wanted to chime in as the current owner of the COI >>> with popups effort. Spec discussions have been extremely long >>> <https://github.com/whatwg/html/issues/6364> since the topic is complex >>> and other vendors don't have the same incentive, since they've completely >>> disabled SAB. We're working hard on making this move forward but some of it >>> is out of our control. We're doing as much implementation work in advance >>> as possible, so that once we agree with Firefox it goes promptly. >>> >>> PS: If you're working on a website that currently uses the reverse OT >>> because it needs to interact with popups, feel free to reach out to me >>> personally about your thoughts on the current proposal >>> <https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md>. >>> Getting developers feedback will help make it move faster! >>> >>> On Friday, May 6, 2022 at 10:29:45 AM UTC+2 va...@chromium.org wrote: >>> >>>> Hi API owners, >>>> >>>> CIL. >>>> PLMK in case you've additional questions. >>>> >>>> On Wed, May 4, 2022 at 6:41 PM Chris Harrelson <chri...@chromium.org> >>>> wrote: >>>> >>>>> The API owners met today and discussed this Intent. >>>>> >>>>> Overall, I'd summarize as saying that I think the API owners would >>>>> only be comfortable extending the origin trial by 3 milestones at this >>>>> time. (We have not yet approved that extension however; first I'd like to >>>>> wait for an answer to the followup question inline below). >>>>> >>>> Happy to report back after the M106 branch point if we were able to >>>> start the OTs of Anonymous iframes and COI+popups. We'll not be able to >>>> report any impact of the use counters on stable at that time. >>>> >>>>> >>>>> After that time, if you wish to extend it further, you'll need to show >>>>> substantial >>>>> additional progress >>>>> <https://www.chromium.org/blink/launching-features/#step-3-optional-origin-trial> >>>>> towards shipping. For me, substantial progress could include "we rolled >>>>> out >>>>> more of the mechanisms to make it easy to migrate", "the number of reverse >>>>> OT participants dropped substially", or "the use counter and list of sites >>>>> at risk reduced substantially". >>>>> >>>> In the current OT time frame we've shipped COEP:credentialless - so >>>> there was substantial progress made. Nevertheless two pieces are still >>>> missing to make the adoption possible in all cases where we're working on >>>> finalizing the spec and the implementations. +Camille Lamy Is able to >>>> share more about the complexities involved and why this is taking so long. >>>> >>>>> >>>>> On Wed, Apr 27, 2022 at 9:27 AM Lutz Vahl <va...@chromium.org> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Apr 27, 2022 at 5:14 PM Chris Harrelson <chri...@chromium.org> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Apr 27, 2022 at 6:04 AM Lutz Vahl <va...@chromium.org> >>>>>>> wrote: >>>>>>> >>>>>>>> Contact emails >>>>>>>> >>>>>>>> va...@chromium.org cl...@chromium.org >>>>>>>> >>>>>>>> Explainer >>>>>>>> >>>>>>>> >>>>>>>> https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k >>>>>>>> >>>>>>>> Specification >>>>>>>> >>>>>>>> https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects >>>>>>>> >>>>>>>> Design docs Including the new security requirements >>>>>>>> >>>>>>>> >>>>>>>> https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer >>>>>>>> >>>>>>>> Discussion how and what to gate >>>>>>>> >>>>>>>> https://github.com/whatwg/html/issues/4732 >>>>>>>> >>>>>>>> Summary >>>>>>>> >>>>>>>> ‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to >>>>>>>> cross-origin isolated environments, matching the behavior we've >>>>>>>> recently >>>>>>>> shipped on Android and Firefox. We've performed that change in Chrome >>>>>>>> 92. A >>>>>>>> reverse OT was started to give developers the option to use SABs in >>>>>>>> case >>>>>>>> they are not able to adopt cross origin isolation yet. >>>>>>>> >>>>>>>> We’ve received lot’s of feedback that adopting COOP/COEP is hard >>>>>>>> (details below). Therefore I’m asking for your approval to extend the >>>>>>>> SAB >>>>>>>> reverse OT again from M103 until M113 (branch point 2023-03-23). This >>>>>>>> is an estimation - Can we come back to y'all in 6 months with a report >>>>>>>> on >>>>>>>> progress and usage to justify that extension and agree on the final >>>>>>>> milestone? >>>>>>>> >>>>>>>> Experimental timeline / plan for all new capabilities needed to >>>>>>>> replace the OT >>>>>>>> >>>>>>>> The SAB restriction in M92 went smoothly without any major issues >>>>>>>> in the wild because we offered the reverse OT. We’ve received lots of >>>>>>>> feedback that adopting COOP/COEP is hard and sometimes impossible. >>>>>>>> Therefore the reverse OT is currently the only way to enable SABs for >>>>>>>> some >>>>>>>> sites within Chromium. Chromestatus is showing that SABs in none COI >>>>>>>> context are being used on ~0.36% >>>>>>>> <https://chromestatus.com/metrics/feature/popularity#V8SharedArrayBufferConstructedWithoutIsolation> >>>>>>>> page loads. >>>>>>>> >>>>>>> >>>>>>> This seems off by a factor of 10. The real number seems to be 0.036% >>>>>>> or so >>>>>>> <https://chromestatus.com/metrics/feature/timeline/popularity/3721>, >>>>>>> right? Can you highlight why it's important to extend for 10 more >>>>>>> milestones for such a small percentage of traffic? Will the sites in >>>>>>> question completely break for some reason, or just behave the same as in >>>>>>> non-chromium browsers? >>>>>>> >>>>>> That's on me: 0.036% >>>>>> <https://chromestatus.com/metrics/feature/timeline/popularity/3721> is >>>>>> correct! >>>>>> Some sites use SAB to gain extra performance on chromium based >>>>>> browsers in some cases 3P content is using SABs. Some might work without >>>>>> the OT others will break based on how they identify their code path to be >>>>>> used. >>>>>> >>>>>> The list of OT registrations is ~500 and most of them mentioned to be >>>>>> blocked by 3Ps to deploy COOP+COEP broadly. >>>>>> We're happy to extend the OT to give them time to adopt. Do you >>>>>> (and/or other API owners) think this is not required based on the low >>>>>> usage? >>>>>> >>>>> >>>>> Thanks for this information. Can you also share some examples of >>>>> specific sites you're concerned about breaking and how they would break? >>>>> >>>> I've shared Zoom and Google Earth already in the original post. The >>>> breakage is based on a performance drop in case pThreads are not available >>>> any more. Therefore the page (or parts of it) came unusable. >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>> To overcome this limitation and make adoption possible more broadly >>>>>>>> (public feedback <https://github.com/WICG/proposals/issues/53>), >>>>>>>> we’re working on multiple solutions >>>>>>>> <https://github.com/camillelamy/explainers/blob/main/cross-origin-isolation-deployment.md> >>>>>>>> (all shared timelines are WIP): >>>>>>>> >>>>>>>> >>>>>>>> 1. >>>>>>>> >>>>>>>> COEP:credentialless <https://github.com/WICG/credentiallessness> >>>>>>>> - https://crbug.com/1218896 >>>>>>>> >>>>>>>> COEP:credentialless causes no-cors cross-origin requests not to >>>>>>>> include >>>>>>>> >>>>>>>> credentials (cookies, client certificates, etc...). Similarly to >>>>>>>> require-corp, it can be used to enable cross-origin-isolation. Some >>>>>>>> developers are blocked on a set of dependencies which don't yet assert >>>>>>>> that >>>>>>>> they're safe to embed in cross-origin isolated environments. >>>>>>>> >>>>>>>> This mechanism was shipped in M96. (Adoption is already at 0.02% >>>>>>>> <https://chromestatus.com/metrics/feature/popularity#CrossOriginEmbedderPolicyCredentialless> >>>>>>>> of main pages) >>>>>>>> >>>>>>>> >>>>>>>> 1. >>>>>>>> >>>>>>>> COI+popups (formally: COOP same-origin-allow-popups-plus-coep >>>>>>>> >>>>>>>> <https://github.com/camillelamy/explainers/blob/main/coi-with-popups.md> >>>>>>>> ) >>>>>>>> >>>>>>>> To allow crossOriginIsolated pages to use popup-based OAuth/payment >>>>>>>> flows, we plan to have COOP same-origin-allow-popups enable >>>>>>>> crossOriginIsolation when used in conjunction with COEP. Developers who >>>>>>>> depend on popups to 3P for e.g. identity or payment flows can’t >>>>>>>> currently >>>>>>>> deploy cross-origin-isolation. >>>>>>>> >>>>>>>> Spec work is ongoing and we’re targeting Q2 2022 for the OT and Q3 >>>>>>>> for the shipping. As soon as the spec is defined, we’ll kick off the >>>>>>>> intent >>>>>>>> process. Without this all sites need to migrate to FedCM and >>>>>>>> WebPayment for >>>>>>>> their flows to be able to use SABs. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 1. >>>>>>>> >>>>>>>> Anonymous iframes <https://github.com/WICG/anonymous-iframe> >>>>>>>> >>>>>>>> Anonymous iframes are a generalization of COEP credentialless to >>>>>>>> support 3rd party iframes that may not deploy COEP. Like with COEP >>>>>>>> credentialless, we replace the opt-in of cross-origin subresources by >>>>>>>> avoiding to load non-public resources. This will remove the constraint >>>>>>>> and >>>>>>>> will unblock developers to adopt cross-origin-isolation as soon as >>>>>>>> they’re >>>>>>>> embedding 3P iframes. >>>>>>>> >>>>>>>> Based on the progress made for storage partitioning and CHIPs, >>>>>>>> which are needed to safely ship Anonymous iframes, we’re aiming to >>>>>>>> start >>>>>>>> the OT in Q2 2022 (M106) and the rollout in Q3 2022 (M110). >>>>>>>> >>>>>>>> Blink component >>>>>>>> >>>>>>>> Blink>JavaScript >>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EJavaScript> >>>>>>>> >>>>>>>> Search tags >>>>>>>> >>>>>>>> SharedArrayBuffer >>>>>>>> <https://chromestatus.com/features#tags:SharedArrayBuffer>, SAB >>>>>>>> <https://chromestatus.com/features#tags:SAB> >>>>>>>> >>>>>>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/471 >>>>>>>> TAG review statusClosed >>>>>>>> RisksInteroperability and Compatibility >>>>>>>> >>>>>>>> We expect this change to negatively impact developers using >>>>>>>> `SharedArrayBuffer` today. Chrome was the only platform where SABs have >>>>>>>> been available without COOP/COEP. Therefore we need to give developers >>>>>>>> the >>>>>>>> right capabilities and a clear path forward to ensure they’ve enough >>>>>>>> time >>>>>>>> to adopt. We aim to mitigate these risks by adopting a >>>>>>>> longer-than-usual >>>>>>>> depreciation period with console warnings/issues and a reverse origin >>>>>>>> trial. >>>>>>>> >>>>>>>> Good news is usage is down to ~0.36% >>>>>>>> <https://chromestatus.com/metrics/feature/popularity#V8SharedArrayBufferConstructedWithoutIsolation> >>>>>>>> page loads and that other browsers have or are shipping SABs again >>>>>>>> gated behind COOP/COEP. Bad news is that Chromium was the only browser >>>>>>>> that >>>>>>>> supported SABs without COI, therefore we need to provide a migration >>>>>>>> path >>>>>>>> to not break existing sites such as Zoom or Google Earth. >>>>>>>> >>>>>>>> Gecko: Shipped/Shipping ( >>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1312446) >>>>>>>> >>>>>>>> WebKit: Added COOP/COEP and SAB support recently gated behind >>>>>>>> COOP/COEP >>>>>>>> >>>>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>> >>>>>>>> No - This OT is only for desktop, as this was the only platform >>>>>>>> where SABs have been available without COOP/COEP. >>>>>>>> >>>>>>>> Android re-enabled SABs gated behind COOP/COEP: >>>>>>>> https://chromestatus.com/feature/5171863141482496 >>>>>>>> >>>>>>>> Tracking bug >>>>>>>> >>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1144104 >>>>>>>> >>>>>>>> Launch bug >>>>>>>> >>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1138860 >>>>>>>> >>>>>>>> Blink-dev Thread >>>>>>>> >>>>>>>> Planning isolation requirements (COOP/COEP) for SharedArrayBuffer >>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_0MEXs6TJhg/m/QzWOGv7pAQAJ> >>>>>>>> >>>>>>>> I2S >>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/1NKvbIj3dq4/m/nLcgUst-BQAJ> >>>>>>>> >>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>> >>>>>>>> https://chromestatus.com/feature/4570991992766464 >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to blink-dev+...@chromium.org. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBN2JhcYtpT4UYKcAfHt1e0Wz_Uxz0CkXcAntguhbmyNCA%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBN2JhcYtpT4UYKcAfHt1e0Wz_Uxz0CkXcAntguhbmyNCA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to blink-dev+...@chromium.org. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_HkK7R3fA0pyGUm8MNjbqoBR54XrQZWKeD464qb6JNhA%40mail.gmail.com >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_HkK7R3fA0pyGUm8MNjbqoBR54XrQZWKeD464qb6JNhA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+...@chromium.org. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BN6QZsiRA7SaCapgRDnnGC7RNFZ82NRW_xadxOm4e0xNLJuNA%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BN6QZsiRA7SaCapgRDnnGC7RNFZ82NRW_xadxOm4e0xNLJuNA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/df3c52f6-d928-404f-9d92-740edba62502n%40chromium.org >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/df3c52f6-d928-404f-9d92-740edba62502n%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9dUzHffPmitk5iv%2BvKx03_6bmf9WUp6%2BKShMgyEY8xqw%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9dUzHffPmitk5iv%2BvKx03_6bmf9WUp6%2BKShMgyEY8xqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBNs_nxh5pKgV_W2%3DNufRsrU_LA7CW-tso_0uJm3Aswy0g%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBNs_nxh5pKgV_W2%3DNufRsrU_LA7CW-tso_0uJm3Aswy0g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw84WJS-Vt4S8%2BiRuHqZZaGaP58MCNCo3sCJoH%3DwxN%2BmBg%40mail.gmail.com.
