Update: this will likely now be deprecated in M106 and removed in M107; using the Deprecation Reporting mechanism is proving to be significantly more complicated than I expected.
On Tue, Jul 12, 2022 at 1:52 PM Emily Stark <[email protected]> wrote: > Hi Joe -- I'm planning to deprecate in M105 and remove in M106. > > On Mon, Jul 11, 2022 at 9:09 AM Joe Medley <[email protected]> wrote: > >> Emily, >> >> In which milestone will this be removed? >> >> Joe >> Joe Medley | Technical Writer, Chrome DevRel | [email protected] | >> 816-678-7195 <(816)%20678-7195> >> *If an API's not documented it doesn't exist.* >> >> >> On Fri, Jul 8, 2022 at 9:31 AM Emily Stark <[email protected]> wrote: >> >>> Contact [email protected] >>> >>> ExplainerNone >>> >>> Specificationhttps://datatracker.ietf.org/doc/rfc9163 >>> >>> Summary >>> >>> Expect-CT is an HTTP header that allowed websites to opt in to >>> Certificate Transparency enforcement before it was enforced by default. It >>> also has reporting functionality to help developers discover CT >>> misconfigurations. >>> >>> >>> Blink componentInternals>Network>DomainSecurityPolicy >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3EDomainSecurityPolicy> >>> >>> Motivation >>> >>> Expect-CT was designed to help transition to universal Certificate >>> Transparency (CT) enforcement, by allowing high-value websites to opt in to >>> CT enforcement/reporting for better security before CT enforcement was >>> required (by Chrome) on all public websites. However, Expect-CT has now >>> outlived its usefulness. Chrome requires CT on all public websites now, so >>> there is no security value to Expect-CT anymore. Expect-CT was also >>> designed to help site owners discover CT-related misconfigurations; >>> however, now that CT is universally required, CT is generally configured in >>> websites' certificates by certificate authorities and virtually never >>> configured by individual site owners, thus Expect-CT has very limited value >>> as a misconfiguration/debugging tool anymore either. No other browser has >>> implemented Expect-CT so removing it is not an interoperability concern. >>> >>> >>> Initial public proposal >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ >>> >>> TAG reviewn/a >>> >>> TAG review statusNot applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> >>> No other browser has implemented Expect-CT or given signals that they >>> intend to (to my knowledge). Expect-CT is not user-visible so removing the >>> feature has no compatibility risk. Developers who are currently sending the >>> header should stop doing so just to save the bytes on the wire. >>> >>> While the header is served on a large percent of requests (~6%), this is >>> likely due to a small number of large providers that can be informed of the >>> deprecation via 1:1 outreach. As described above, the header serves no >>> security value any longer, removing it will have no user-visible effects, >>> and the header provides extremely minimal debugging value to developers >>> since developers are no longer responsible for serving their own CT >>> information (100.00% of requests serve CT information directly embedded in >>> the certificate, which developers are not responsible for configuring). >>> >>> *Gecko*: No signal >>> >>> *WebKit*: No signal >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> >>> >>> Debuggability >>> >>> We'll add a console message informing developers that the header >>> will/has no effect and they should remove it. >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?No >>> >>> Flag name >>> >>> Requires code in //chrome?False >>> >>> Estimated milestones >>> >>> No milestones specified >>> >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/6244547273687040 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SZwf2Gn%2BiFTGwcFGUWo-kGY%3DMrCRyS3L_5_D3y16QyCoQ%40mail.gmail.com.
