LTGM2. Good luck with the removal. -mike
On Fri, Jul 8, 2022 at 6:44 PM Yoav Weiss <[email protected]> wrote: > LGTM1 to deprecate and remove. > Please roll out the removal carefully. I'd similarly be surprised if the > removal causes breakage, but I have been surprised before, so.. :) > > On Fri, Jul 8, 2022 at 6:41 PM Emily Stark <[email protected]> wrote: > >> >> On Fri, Jul 8, 2022 at 9:34 AM Yoav Weiss <[email protected]> wrote: >> >>> What deprecation/removal timelines did you have in mind? >>> >> >> Since there's no user-visible impact, I was hoping to do a console >> message in M105 and then remove in M106. >> >>> >>> On Fri, Jul 8, 2022 at 6:31 PM Emily Stark <[email protected]> wrote: >>> >>>> Contact [email protected] >>>> >>>> ExplainerNone >>>> >>>> Specificationhttps://datatracker.ietf.org/doc/rfc9163 >>>> >>>> Summary >>>> >>>> Expect-CT is an HTTP header that allowed websites to opt in to >>>> Certificate Transparency enforcement before it was enforced by default. It >>>> also has reporting functionality to help developers discover CT >>>> misconfigurations. >>>> >>>> >>>> Blink componentInternals>Network>DomainSecurityPolicy >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3EDomainSecurityPolicy> >>>> >>>> Motivation >>>> >>>> Expect-CT was designed to help transition to universal Certificate >>>> Transparency (CT) enforcement, by allowing high-value websites to opt in to >>>> CT enforcement/reporting for better security before CT enforcement was >>>> required (by Chrome) on all public websites. However, Expect-CT has now >>>> outlived its usefulness. Chrome requires CT on all public websites now, so >>>> there is no security value to Expect-CT anymore. Expect-CT was also >>>> designed to help site owners discover CT-related misconfigurations; >>>> however, now that CT is universally required, CT is generally configured in >>>> websites' certificates by certificate authorities and virtually never >>>> configured by individual site owners, thus Expect-CT has very limited value >>>> as a misconfiguration/debugging tool anymore either. No other browser has >>>> implemented Expect-CT so removing it is not an interoperability concern. >>>> >>>> >>>> Initial public proposal >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ >>>> >>>> TAG reviewn/a >>>> >>>> TAG review statusNot applicable >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> >>>> No other browser has implemented Expect-CT or given signals that they >>>> intend to (to my knowledge). Expect-CT is not user-visible so removing the >>>> feature has no compatibility risk. Developers who are currently sending the >>>> header should stop doing so just to save the bytes on the wire. >>>> >>>> While the header is served on a large percent of requests (~6%), this >>>> is likely due to a small number of large providers that can be informed of >>>> the deprecation via 1:1 outreach. >>>> >>> >>> Are you planning to wait for usage to drop as a result of this outreach? >>> Or are you fairly confident that removing will not break content due to >>> some weird server side reliance on the header? >>> >> >> I would be very very surprised if the removal caused any breakage, so I >> think we can go ahead with the removal without waiting for usage to drop. >> The outreach is really just a heads-up to allow websites to save some bytes >> on serving the header and turn down any infrastructure they have in place >> for receiving reports, but the feature is essentially a no-op right now so >> removing it shouldn't cause any breakage. >> >> >>> >>> >>>> As described above, the header serves no security value any longer, >>>> removing it will have no user-visible effects, and the header provides >>>> extremely minimal debugging value to developers since developers are no >>>> longer responsible for serving their own CT information (100.00% of >>>> requests serve CT information directly embedded in the certificate, which >>>> developers are not responsible for configuring). >>>> >>>> *Gecko*: No signal >>>> >>>> *WebKit*: No signal >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> >>>> >>>> Debuggability >>>> >>>> We'll add a console message informing developers that the header >>>> will/has no effect and they should remove it. >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?No >>>> >>>> Flag name >>>> >>>> Requires code in //chrome?False >>>> >>>> Estimated milestones >>>> >>>> No milestones specified >>>> >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/6244547273687040 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWPRsmX5O9pxzVkXCqWDqtTQwWkO0b-2EHh-1ZC5A6LzA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWPRsmX5O9pxzVkXCqWDqtTQwWkO0b-2EHh-1ZC5A6LzA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdCC5kWim0Eo4vYdmXMuZOX4FD-LDg17VkM_txhg-Xgrg%40mail.gmail.com.
