LGTM to extend the deprecation trial M122-M126

On Thu, Feb 29, 2024 at 4:55 PM Yifan Luo <l...@google.com> wrote:

> I would like to extend to M126. The current trial ends in M122 while
> permission prompt launched in M124. We need 3 milestones after permission
> prompt's launch to support websites to migrate to use the permission prompt.
>
> On Wednesday, February 28, 2024 at 4:56:59 PM UTC+1 Yoav Weiss wrote:
>
>> Can you clarify which milestones are you requesting to run this extended
>> deprecation trial on?
>>
>> On Wed, Feb 28, 2024 at 11:01 AM 'Yifan Luo' via blink-dev <
>> blin...@chromium.org> wrote:
>>
>>> Contact emailsl...@chromium.org, tit...@chromium.org, cl...@chromium.org
>>> , mk...@chromium.org, va...@chromium.org
>>>
>>> Explainer
>>> https://github.com/WICG/private-network-access/blob/master/explainer.md
>>>
>>> Specificationhttps://wicg.github.io/private-network-access
>>>
>>> Design docs
>>>
>>> https://docs.google.com/document/d/1x1a1fQLOrcWogK3tpFBgQZQ5ZjcONTvD0IqqXkgrg5I/edit#heading=h.7nki9mck5t64
>>>
>>> Summary
>>>
>>> Requires that private network requests for subresources from public
>>> websites may only be initiated from a secure context. Examples include
>>> internet to intranet requests and internet to loopback requests. This is a
>>> first step towards fully implementing Private Network Access:
>>> https://wicg.github.io/private-network-access/
>>>
>>>
>>> ------
>>>
>>>
>>> PNA permission prompt is scheduled to be shipped on M124:
>>> https://chromestatus.com/feature/5954091755241472, we need 3 more
>>> milestones for developers to migrate to permission prompt and exit this
>>> deprecation trial.
>>>
>>>
>>> Blink componentBlink>SecurityFeature>CORS>PrivateNetworkAccess
>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS%3EPrivateNetworkAccess>
>>>
>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/572
>>>
>>> TAG review statusIssues addressed
>>>
>>> Chromium Trial NamePrivateNetworkAccessNonSecureContextsAllowed
>>>
>>> Link to origin trial feedback summary
>>> https://docs.google.com/spreadsheets/d/1z5ZdCslNCnSVR7TNlUTHjSvunMFmT_9G9NOx8-O78-I/edit?usp=sharing&resourcekey=0-DITlG8tDuFDWHiBUHnlSoQ
>>>
>>> Origin Trial documentation link
>>> https://developer.chrome.com/blog/private-network-access-update/
>>>
>>> WebFeature UseCounter name
>>> kPrivateNetworkAccessNonSecureContextsAllowedDeprecationTrial
>>>
>>> Risks
>>>
>>>
>>> Interoperability and Compatibility
>>>
>>> No interoperability risks. Compatibility risk is small but
>>> non-negligible. UseCounters show ~0.1% of page visit making use of this
>>> feature. Direct outreach to the largest users per UKM data revealed no
>>> objections to this launch. Rolling this deprecation out to beta per the
>>> previous I2S resulted in more feedback about the compatibility risk and the
>>> need for a time extension. See the following doc for an extensive
>>> discussion:
>>> https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit
>>>
>>>
>>> *Gecko*: Positive (
>>> https://github.com/mozilla/standards-positions/issues/143) Tentatively
>>> positive, but no formal position yet.
>>>
>>> *WebKit*: Positive (
>>> https://lists.webkit.org/pipermail/webkit-dev/2021-May/031837.html)
>>>
>>> *Web developers*: Mixed signals (
>>> https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit)
>>> In our recent survey, most of websites are able to migrate if our new
>>> permission prompt can be landed as a way for them to relax mixed content
>>> checks.
>>> https://docs.google.com/spreadsheets/d/1z5ZdCslNCnSVR7TNlUTHjSvunMFmT_9G9NOx8-O78-I/edit?resourcekey=0-DITlG8tDuFDWHiBUHnlSoQ#gid=309953809
>>>  ------------
>>> Some websites, broadly falling in the category of controller webapps for
>>> IoT devices, find this change incompatible with their use cases. While many
>>> use cases can be solved with specific workarounds, some still require
>>> further engagement.
>>>
>>> *Other signals*:
>>>
>>> Activation
>>>
>>> Developers of non-secure sites that rely upon local servers will need to
>>> upgrade to HTTPS. This might cause some complications, as mixed-content
>>> checks will begin to apply. Chrome carves out HTTP access to loopback (as
>>> perhttps://w3c.github.io/webappsec-secure-contexts/#localhost), which
>>> is a release valve for folks who don't want to go through the effort of
>>> securely-distributing certs for local servers. The initial launch in M92
>>> was delayed due to compatibility risks surfaced during the rollout to beta.
>>> See this doc for a lot more details:
>>> https://docs.google.com/document/d/1bpis0QwaA9ZrRFmpPW6LiaPmdwT0UhhUMNsEnU0zfLk/edit
>>>
>>>
>>> Security
>>>
>>> This change should be security-positive.
>>>
>>>
>>> WebView application risks
>>>
>>> Does this intent deprecate or change behavior of existing APIs, such
>>> that it has potentially high risk for Android WebView-based applications?
>>>
>>>
>>>
>>> Debuggability
>>>
>>> When a request is made that violates this restriction and the feature is
>>> not enabled, three things happen: 1. A warning message is logged to the
>>> DevTools console. 2. A deprecation report is filed against the initiator
>>> website's Reporting API, if so configured. 3. An issue is surfaced in the
>>> DevTools Issues panel. Likewise, when the feature is enabled and a request
>>> is blocked, the same happens except that the message logged to the DevTools
>>> console is an error and its text is slightly different. The devtools
>>> network panel shows information about the source and remote address spaces
>>> at play.
>>>
>>>
>>> Is this feature fully tested by web-platform-tests
>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
>>> ?Yes
>>>
>>>
>>> https://wpt.fyi/results/fetch/private-network-access?label=master&label=experimental&aligned
>>>
>>>
>>> Flag name on chrome://flagsBlockInsecurePrivateNetworkRequests
>>>
>>> Finch feature nameNone
>>>
>>> Non-finch justificationNone
>>>
>>> Requires code in //chrome?False
>>>
>>> Tracking bughttps://crbug.com/986744
>>>
>>> Launch bughttps://crbug.com/1129801
>>>
>>> Estimated milestones
>>> Shipping on desktop 127
>>> OriginTrial desktop last 126
>>> OriginTrial desktop first 94
>>> DevTrial on desktop 86
>>> OriginTrial Android last 126
>>> OriginTrial Android first 94
>>> DevTrial on Android 86
>>>
>>> Link to entry on the Chrome Platform Status
>>> https://chromestatus.com/feature/5436853517811712
>>>
>>> Links to previous Intent discussionsReady for Trial:
>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/EeGg7TxW6U4/m/7ZvqAqHLAwAJ
>>> Intent to Experiment:
>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/vlDZXlPb00k/m/1421ACiuAAAJ
>>> Intent to Extend Experiment:
>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/JPD001kqeck
>>> Intent to Ship:
>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/JPD001kqeck
>>>
>>>
>>> This intent message was generated by Chrome Platform Status
>>> <https://chromestatus.com/>.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "blink-dev" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to blink-dev+...@chromium.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU82-fEXxGchvtMVvHkk_qnW7NzVvCznNCBFWrY0OrXuCw%40mail.gmail.com
>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAG-zKU82-fEXxGchvtMVvHkk_qnW7NzVvCznNCBFWrY0OrXuCw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSLpjjEzU0-7vk%3DoFFCFKCRJ6Gy1n%2BZU-oCW51sL2wHuYA%40mail.gmail.com.

Reply via email to