Apologies for missing this! Can you send a new email with an extension request, so that this will get properly tracked by our tooling? Thanks!!
On Mon, Nov 21, 2022 at 2:43 PM Lutz Vahl <[email protected]> wrote: > gentle ping. Any feedback on the request or are we good to extend? > > On Wed, Nov 9, 2022 at 7:12 PM Lutz Vahl <[email protected]> wrote: > >> Hello API owners, >> >> With the branch cut around the corner, I'm happy to present the progress >> made: >> >> Summary >> >> ‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to >> cross-origin isolated environments, matching the behavior we've recently >> shipped on Android and Firefox. We've performed that change in Chrome 92. A >> reverse OT was started to give developers the option to use SABs in case >> they are not able to adopt cross origin isolation yet. >> >> Updates >> >> We’ve received lots of feedback that adopting COOP/COEP is difficult >> (details above). Nevertheless we made substantial progress towards removing >> the usage - Chromestatus is showing that SABs in non-COI context are being >> used on ~0.027% >> <https://chromestatus.com/metrics/feature/timeline/popularity/3721> page >> loads (down from >2.5%). >> >> The API owners asked to prove substantial progress to allow an extension >> until M113 (aimed OT start of the last feature), which I’m happy to >> share. >> >> Once we’ve started the COOP:RP OT I’ll come back to this thread sharing >> feedback and the final deprecation timeline. >> >> >> 1. >> >> *COEP:credentialless <https://github.com/WICG/credentiallessness> - >> https://crbug.com/1218896 <https://crbug.com/1218896>* >> >> COEP:credentialless was shipped in M96. (Adoption is already increasing >> to 0.0032% >> <https://chromestatus.com/metrics/feature/popularity#CrossOriginEmbedderPolicyCredentialless> >> of main pages) >> >> >> 1. >> >> *COOP: restrict-properties >> >> <https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md> >> - launch bug >> <https://bugs.chromium.org/p/chromium/issues/detail?id=1347385> - I2E >> >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/JrMX5H2PX_o/m/JipeWijACAAJ>* >> >> Developers who depend on pop ups to 3P for e.g. identity or payment flows >> can’t currently deploy cross-origin-isolation. To allow crossOriginIsolated >> pages to use popup-based OAuth/payment flows, we plan to have a new COOP >> value: “restrict-properties” that enables crossOriginIsolation when used in >> conjunction with COEP. This new value restricts cross-window access to just >> postMessage and closed instead of completely severing popup access. >> >> Spec work is ongoing (see discussion >> <https://github.com/whatwg/html/issues/6364>, and previous iteration PR >> <https://github.com/whatwg/html/pull/7783>) and requires partners input >> to convince others that it is the correct solution. Initial design and >> implementation met some issues and we got back to the design stage after >> missing the OT in 109. We are iterating on it with support from Chrome >> Security Architecture. See the design doc >> <https://docs.google.com/document/d/1qXlC6HZXd6UDokI8_cHYAVaXhHop0Ia6-z3fZl6saX8/edit> >> and this discussion doc >> <https://docs.google.com/document/d/1gJNFK_hOhQ-nbrAVi5QvoS32QOutOR1IrXHLWIjade4/edit> >> for details. We are now planning to have an OT in early 2022. Other vendors >> and TAG need to be queried again for standardization once the new design is >> considered good, but that is not required to start the OT, since feedback >> will very likely have influence. This feature is the last puzzle piece to >> make COI adoption possible across various use cases. >> >> >> >> 1. >> >> *Anonymous iframes <https://github.com/WICG/anonymous-iframe> - >> launch bug <https://crbug.com/1342928> - I2P >> >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/CjrLTguZuO4/m/kEO65RvCAAAJ> >> - I2E >> >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/-7H19EHTenU/m/oWfFm21eAAAJ> >> - I2S >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/twjmdCcfHYM>* >> >> Anonymous iframes are a generalization of COEP credentialless to support >> 3rd party iframes. Instead of waiting for the third party to opt-in into >> COEP, it allows the embedder to load the public version of iframe without >> requiring COEP. The anonymous iframe’s document is assigned a new and >> ephemeral storage/network/cookie partition. >> >> The Anonymous iframes <https://github.com/WICG/anonymous-iframe> OT >> started in M106 and we’ve received positive >> <https://docs.google.com/document/d/1WzOrxIQnq9sTFkou9P8GshrQSeyO3MBdSvYqJjP410Q/edit#bookmark=id.cm0t44nhlzwt> >> feedback from developers. We would like to address issue/5 >> <https://github.com/WICG/anonymous-iframe/issues/5> and enable the >> feature in M110 >> >> The spec: >> https://wicg.github.io/anonymous-iframe/#specification (PRs: 1 >> <https://github.com/whatwg/html/pull/7695>,2 >> <https://github.com/whatwg/fetch/pull/1416>,3 >> <https://github.com/whatwg/storage/pull/139>) >> >> >> Cheers, >> Lutz >> >> On Mon, Aug 1, 2022 at 2:57 PM Lutz Vahl <[email protected]> wrote: >> >>> Thanks, sure I'll come back before the M1909 branch cut to present >>> progress if needed. See you soon :) >>> >>> On Mon, Aug 1, 2022 at 2:44 PM Yoav Weiss <[email protected]> >>> wrote: >>> >>>> Given the evidence you presented, which shows significant progress, >>>> LGTM to experiment until M109 inclusive. >>>> >>>> Please come back to this thread (with any future progress) if further >>>> extensions are needed. >>>> >>>> Cheers :) >>>> Yoav >>>> >>>> On Mon, Aug 1, 2022 at 2:17 PM Lutz Vahl <[email protected]> wrote: >>>> >>>>> Yes, we've asked in the past already for M113 but it was only approved >>>>> to M106 (including) until now. >>>>> Thus I've shared the progress made until now and the outlook. >>>>> >>>>> Cheers, >>>>> Lutz >>>>> >>>>> Yoav Weiss <[email protected]> schrieb am Mo., 1. Aug. 2022, >>>>> 13:57: >>>>> >>>>>> If I'm reading the past thread comments correctly, the OT extension >>>>>> was approved until M106 (inclusive). Is that correct? >>>>>> >>>>>> On Thu, Jul 28, 2022 at 5:36 PM Lutz Vahl <[email protected]> wrote: >>>>>> >>>>>>> HI all, >>>>>>> >>>>>>> coming back to this thread as discussed a while back. >>>>>>> >>>>>>> Summary >>>>>>> >>>>>>> ‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to >>>>>>> cross-origin isolated environments, matching the behavior we've recently >>>>>>> shipped on Android and Firefox. We've performed that change in Chrome >>>>>>> 92. A >>>>>>> reverse OT was started to give developers the option to use SABs in case >>>>>>> they are not able to adopt cross origin isolation yet. >>>>>>> >>>>>>> Updates >>>>>>> >>>>>>> We’ve received lots of feedback that adopting COOP/COEP is difficult >>>>>>> (details above). Nevertheless we made substantial progress towards >>>>>>> removing >>>>>>> the usage - Chromestatus is showing that SABs in non-COI context are >>>>>>> being >>>>>>> used on ~0.026% >>>>>>> <https://chromestatus.com/metrics/feature/timeline/popularity/3721> >>>>>>> page loads (down from >2.5%). >>>>>>> >>>>>>> The API owners asked to prove substantial progress to allow an >>>>>>> extension until M113 (3x MS after shipping the last feature), which >>>>>>> I’m happy to share: >>>>>>> >>>>>>> >>>>>>> 1. >>>>>>> >>>>>>> COEP:credentialless <https://github.com/WICG/credentiallessness> >>>>>>> - https://crbug.com/1218896 >>>>>>> >>>>>>> COEP:credentialless was shipped in M96. (Adoption is already >>>>>>> increasing to 0.025% >>>>>>> <https://chromestatus.com/metrics/feature/popularity#CrossOriginEmbedderPolicyCredentialless> >>>>>>> of main pages) >>>>>>> >>>>>>> >>>>>>> 1. >>>>>>> >>>>>>> COOP: restrict-properties >>>>>>> >>>>>>> <https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md> >>>>>>> - launch bug >>>>>>> <https://bugs.chromium.org/p/chromium/issues/detail?id=1347385> >>>>>>> - I2E >>>>>>> >>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/JrMX5H2PX_o/m/JipeWijACAAJ> >>>>>>> >>>>>>> Developers who depend on popups to 3P for e.g. identity or payment >>>>>>> flows can’t currently deploy cross-origin-isolation. To allow >>>>>>> crossOriginIsolated pages to use popup-based OAuth/payment flows, we >>>>>>> plan >>>>>>> to have a new COOP value: “restrict-properties” that enables >>>>>>> crossOriginIsolation when used in conjunction with COEP. This new value >>>>>>> restricts cross-window access to just postMessage and closed instead of >>>>>>> completely severing popup access. >>>>>>> >>>>>>> Spec work is ongoing (see discussion >>>>>>> <https://github.com/whatwg/html/issues/6364>, and previous >>>>>>> iteration PR <https://github.com/whatwg/html/pull/7783>) and >>>>>>> requires partners input to convince Mozilla that it is the correct >>>>>>> solution, ENG work is ongoing and we’re targeting M106 for OT and M110 >>>>>>> to >>>>>>> ship. >>>>>>> >>>>>>> >>>>>>> 1. >>>>>>> >>>>>>> Anonymous iframes <https://github.com/WICG/anonymous-iframe> and >>>>>>> COEP reflection - launch bug <https://crbug.com/1342928> - I2P >>>>>>> >>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/CjrLTguZuO4/m/kEO65RvCAAAJ> >>>>>>> - I2E >>>>>>> >>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/-7H19EHTenU/m/oWfFm21eAAAJ> >>>>>>> >>>>>>> Anonymous iframes are a generalization of COEP credentialless to >>>>>>> support 3rd party iframes that may not deploy COEP. Like with COEP >>>>>>> credentialless, we replace the opt-in of cross-origin subresources by >>>>>>> avoiding to load non-public resources. This will remove the constraint >>>>>>> and >>>>>>> will unblock developers to adopt cross-origin-isolation as soon as >>>>>>> they’re >>>>>>> embedding 3P iframes. >>>>>>> >>>>>>> Based on the progress made for storage partitioning and CHIPs, which >>>>>>> are needed to safely ship Anonymous iframes, we’re unblocked to start >>>>>>> the >>>>>>> OT in M106 and the rollout in Q3 2022 (M110). >>>>>>> >>>>>>> The spec: >>>>>>> >>>>>>> https://wicg.github.io/anonymous-iframe/#specification (PRs: 1 >>>>>>> <https://github.com/whatwg/html/pull/7695>,2 >>>>>>> <https://github.com/whatwg/fetch/pull/1416>,3 >>>>>>> <https://github.com/whatwg/storage/pull/139>) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> PLMK if we can extend the OT until M113. Thanks. >>>>>>> >>>>>>> On Wed, May 11, 2022 at 8:08 PM Chris Harrelson < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Reusing this thread would be totally fine. >>>>>>>> >>>>>>>> On Wed, May 11, 2022, 11:29 AM Lutz Vahl <[email protected]> wrote: >>>>>>>> >>>>>>>>> Great, thanks Chris. >>>>>>>>> I'll report back in the next months. Shall I use this thread to do >>>>>>>>> so or kick off a new one - any preferences? >>>>>>>>> >>>>>>>>> On Tue, May 10, 2022 at 11:09 PM Chris Harrelson < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> LGTM to experiment for 3 additional milestones. I think this >>>>>>>>>> counts for sure as substantial progress. >>>>>>>>>> >>>>>>>>>> Thank you for all the useful information and your dedication to >>>>>>>>>> doing right by the web and partner developers! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, May 6, 2022 at 5:58 AM 'Arthur Hemery' via blink-dev < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi everyone I just wanted to chime in as the current owner of >>>>>>>>>>> the COI with popups effort. Spec discussions have been extremely >>>>>>>>>>> long <https://github.com/whatwg/html/issues/6364> since the >>>>>>>>>>> topic is complex and other vendors don't have the same incentive, >>>>>>>>>>> since >>>>>>>>>>> they've completely disabled SAB. We're working hard on making this >>>>>>>>>>> move >>>>>>>>>>> forward but some of it is out of our control. We're doing as much >>>>>>>>>>> implementation work in advance as possible, so that once we agree >>>>>>>>>>> with >>>>>>>>>>> Firefox it goes promptly. >>>>>>>>>>> >>>>>>>>>>> PS: If you're working on a website that currently uses the >>>>>>>>>>> reverse OT because it needs to interact with popups, feel free to >>>>>>>>>>> reach out >>>>>>>>>>> to me personally about your thoughts on the current proposal >>>>>>>>>>> <https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md>. >>>>>>>>>>> Getting developers feedback will help make it move faster! >>>>>>>>>>> >>>>>>>>>>> On Friday, May 6, 2022 at 10:29:45 AM UTC+2 [email protected] >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi API owners, >>>>>>>>>>>> >>>>>>>>>>>> CIL. >>>>>>>>>>>> PLMK in case you've additional questions. >>>>>>>>>>>> >>>>>>>>>>>> On Wed, May 4, 2022 at 6:41 PM Chris Harrelson < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> The API owners met today and discussed this Intent. >>>>>>>>>>>>> >>>>>>>>>>>>> Overall, I'd summarize as saying that I think the API owners >>>>>>>>>>>>> would only be comfortable extending the origin trial by 3 >>>>>>>>>>>>> milestones at >>>>>>>>>>>>> this time. (We have not yet approved that extension however; >>>>>>>>>>>>> first I'd like >>>>>>>>>>>>> to wait for an answer to the followup question inline below). >>>>>>>>>>>>> >>>>>>>>>>>> Happy to report back after the M106 branch point if we were >>>>>>>>>>>> able to start the OTs of Anonymous iframes and COI+popups. We'll >>>>>>>>>>>> not be >>>>>>>>>>>> able to report any impact of the use counters on stable at that >>>>>>>>>>>> time. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> After that time, if you wish to extend it further, you'll need >>>>>>>>>>>>> to show substantial additional progress >>>>>>>>>>>>> <https://www.chromium.org/blink/launching-features/#step-3-optional-origin-trial> >>>>>>>>>>>>> towards shipping. For me, substantial progress could include "we >>>>>>>>>>>>> rolled out >>>>>>>>>>>>> more of the mechanisms to make it easy to migrate", "the number >>>>>>>>>>>>> of reverse >>>>>>>>>>>>> OT participants dropped substially", or "the use counter and list >>>>>>>>>>>>> of sites >>>>>>>>>>>>> at risk reduced substantially". >>>>>>>>>>>>> >>>>>>>>>>>> In the current OT time frame we've shipped COEP:credentialless >>>>>>>>>>>> - so there was substantial progress made. Nevertheless two pieces >>>>>>>>>>>> are still >>>>>>>>>>>> missing to make the adoption possible in all cases where we're >>>>>>>>>>>> working on >>>>>>>>>>>> finalizing the spec and the implementations. +Camille Lamy Is >>>>>>>>>>>> able to share more about the complexities involved and why this is >>>>>>>>>>>> taking >>>>>>>>>>>> so long. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Apr 27, 2022 at 9:27 AM Lutz Vahl <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Apr 27, 2022 at 5:14 PM Chris Harrelson < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, Apr 27, 2022 at 6:04 AM Lutz Vahl < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Contact emails >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> [email protected] [email protected] >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Explainer >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Specification >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Design docs Including the new security requirements >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Discussion how and what to gate >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://github.com/whatwg/html/issues/4732 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Summary >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ‘SharedArrayBuffers’ (SABs) on desktop platforms are >>>>>>>>>>>>>>>> restricted to cross-origin isolated environments, matching the >>>>>>>>>>>>>>>> behavior >>>>>>>>>>>>>>>> we've recently shipped on Android and Firefox. We've performed >>>>>>>>>>>>>>>> that change >>>>>>>>>>>>>>>> in Chrome 92. A reverse OT was started to give developers the >>>>>>>>>>>>>>>> option to use >>>>>>>>>>>>>>>> SABs in case they are not able to adopt cross origin isolation >>>>>>>>>>>>>>>> yet. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We’ve received lot’s of feedback that adopting COOP/COEP is >>>>>>>>>>>>>>>> hard (details below). Therefore I’m asking for your approval >>>>>>>>>>>>>>>> to extend the >>>>>>>>>>>>>>>> SAB reverse OT again from M103 until M113 (branch point >>>>>>>>>>>>>>>> 2023-03-23). This is an estimation - Can we come back to >>>>>>>>>>>>>>>> y'all in 6 months with a report on progress and usage to >>>>>>>>>>>>>>>> justify that >>>>>>>>>>>>>>>> extension and agree on the final milestone? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Experimental timeline / plan for all new capabilities >>>>>>>>>>>>>>>> needed to replace the OT >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The SAB restriction in M92 went smoothly without any major >>>>>>>>>>>>>>>> issues in the wild because we offered the reverse OT. We’ve >>>>>>>>>>>>>>>> received lots >>>>>>>>>>>>>>>> of feedback that adopting COOP/COEP is hard and sometimes >>>>>>>>>>>>>>>> impossible. >>>>>>>>>>>>>>>> Therefore the reverse OT is currently the only way to enable >>>>>>>>>>>>>>>> SABs for some >>>>>>>>>>>>>>>> sites within Chromium. Chromestatus is showing that SABs in >>>>>>>>>>>>>>>> none COI >>>>>>>>>>>>>>>> context are being used on ~0.36% >>>>>>>>>>>>>>>> <https://chromestatus.com/metrics/feature/popularity#V8SharedArrayBufferConstructedWithoutIsolation> >>>>>>>>>>>>>>>> page loads. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This seems off by a factor of 10. The real number seems to >>>>>>>>>>>>>>> be 0.036% or so >>>>>>>>>>>>>>> <https://chromestatus.com/metrics/feature/timeline/popularity/3721>, >>>>>>>>>>>>>>> right? Can you highlight why it's important to extend for 10 >>>>>>>>>>>>>>> more >>>>>>>>>>>>>>> milestones for such a small percentage of traffic? Will the >>>>>>>>>>>>>>> sites in >>>>>>>>>>>>>>> question completely break for some reason, or just behave the >>>>>>>>>>>>>>> same as in >>>>>>>>>>>>>>> non-chromium browsers? >>>>>>>>>>>>>>> >>>>>>>>>>>>>> That's on me: 0.036% >>>>>>>>>>>>>> <https://chromestatus.com/metrics/feature/timeline/popularity/3721> >>>>>>>>>>>>>> is >>>>>>>>>>>>>> correct! >>>>>>>>>>>>>> Some sites use SAB to gain extra performance on chromium >>>>>>>>>>>>>> based browsers in some cases 3P content is using SABs. Some >>>>>>>>>>>>>> might work >>>>>>>>>>>>>> without the OT others will break based on how they identify >>>>>>>>>>>>>> their code path >>>>>>>>>>>>>> to be used. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The list of OT registrations is ~500 and most of them >>>>>>>>>>>>>> mentioned to be blocked by 3Ps to deploy COOP+COEP broadly. >>>>>>>>>>>>>> We're happy to extend the OT to give them time to adopt. Do >>>>>>>>>>>>>> you (and/or other API owners) think this is not required based >>>>>>>>>>>>>> on the low >>>>>>>>>>>>>> usage? >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for this information. Can you also share some examples >>>>>>>>>>>>> of specific sites you're concerned about breaking and how they >>>>>>>>>>>>> would break? >>>>>>>>>>>>> >>>>>>>>>>>> I've shared Zoom and Google Earth already in the original post. >>>>>>>>>>>> The breakage is based on a performance drop in case pThreads are >>>>>>>>>>>> not >>>>>>>>>>>> available any more. Therefore the page (or parts of it) came >>>>>>>>>>>> unusable. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> To overcome this limitation and make adoption possible more >>>>>>>>>>>>>>>> broadly (public feedback >>>>>>>>>>>>>>>> <https://github.com/WICG/proposals/issues/53>), we’re >>>>>>>>>>>>>>>> working on multiple solutions >>>>>>>>>>>>>>>> <https://github.com/camillelamy/explainers/blob/main/cross-origin-isolation-deployment.md> >>>>>>>>>>>>>>>> (all shared timelines are WIP): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 1. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> COEP:credentialless >>>>>>>>>>>>>>>> <https://github.com/WICG/credentiallessness> - >>>>>>>>>>>>>>>> https://crbug.com/1218896 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> COEP:credentialless causes no-cors cross-origin requests >>>>>>>>>>>>>>>> not to include >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> credentials (cookies, client certificates, etc...). >>>>>>>>>>>>>>>> Similarly to require-corp, it can be used to enable >>>>>>>>>>>>>>>> cross-origin-isolation. >>>>>>>>>>>>>>>> Some developers are blocked on a set of dependencies which >>>>>>>>>>>>>>>> don't yet assert >>>>>>>>>>>>>>>> that they're safe to embed in cross-origin isolated >>>>>>>>>>>>>>>> environments. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This mechanism was shipped in M96. (Adoption is already at >>>>>>>>>>>>>>>> 0.02% >>>>>>>>>>>>>>>> <https://chromestatus.com/metrics/feature/popularity#CrossOriginEmbedderPolicyCredentialless> >>>>>>>>>>>>>>>> of main pages) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 1. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> COI+popups (formally: COOP >>>>>>>>>>>>>>>> same-origin-allow-popups-plus-coep >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://github.com/camillelamy/explainers/blob/main/coi-with-popups.md> >>>>>>>>>>>>>>>> ) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> To allow crossOriginIsolated pages to use popup-based >>>>>>>>>>>>>>>> OAuth/payment flows, we plan to have COOP >>>>>>>>>>>>>>>> same-origin-allow-popups enable >>>>>>>>>>>>>>>> crossOriginIsolation when used in conjunction with COEP. >>>>>>>>>>>>>>>> Developers who >>>>>>>>>>>>>>>> depend on popups to 3P for e.g. identity or payment flows >>>>>>>>>>>>>>>> can’t currently >>>>>>>>>>>>>>>> deploy cross-origin-isolation. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Spec work is ongoing and we’re targeting Q2 2022 for the OT >>>>>>>>>>>>>>>> and Q3 for the shipping. As soon as the spec is defined, we’ll >>>>>>>>>>>>>>>> kick off the >>>>>>>>>>>>>>>> intent process. Without this all sites need to migrate to >>>>>>>>>>>>>>>> FedCM and >>>>>>>>>>>>>>>> WebPayment for their flows to be able to use SABs. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 1. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Anonymous iframes >>>>>>>>>>>>>>>> <https://github.com/WICG/anonymous-iframe> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Anonymous iframes are a generalization of COEP >>>>>>>>>>>>>>>> credentialless to support 3rd party iframes that may not >>>>>>>>>>>>>>>> deploy COEP. Like >>>>>>>>>>>>>>>> with COEP credentialless, we replace the opt-in of cross-origin >>>>>>>>>>>>>>>> subresources by avoiding to load non-public resources. This >>>>>>>>>>>>>>>> will remove the >>>>>>>>>>>>>>>> constraint and will unblock developers to adopt >>>>>>>>>>>>>>>> cross-origin-isolation as >>>>>>>>>>>>>>>> soon as they’re embedding 3P iframes. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Based on the progress made for storage partitioning and >>>>>>>>>>>>>>>> CHIPs, which are needed to safely ship Anonymous iframes, >>>>>>>>>>>>>>>> we’re aiming to >>>>>>>>>>>>>>>> start the OT in Q2 2022 (M106) and the rollout in Q3 2022 >>>>>>>>>>>>>>>> (M110). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Blink component >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Blink>JavaScript >>>>>>>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EJavaScript> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Search tags >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SharedArrayBuffer >>>>>>>>>>>>>>>> <https://chromestatus.com/features#tags:SharedArrayBuffer>, >>>>>>>>>>>>>>>> SAB <https://chromestatus.com/features#tags:SAB> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> TAG review >>>>>>>>>>>>>>>> https://github.com/w3ctag/design-reviews/issues/471 >>>>>>>>>>>>>>>> TAG review statusClosed >>>>>>>>>>>>>>>> RisksInteroperability and Compatibility >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We expect this change to negatively impact developers using >>>>>>>>>>>>>>>> `SharedArrayBuffer` today. Chrome was the only platform where >>>>>>>>>>>>>>>> SABs have >>>>>>>>>>>>>>>> been available without COOP/COEP. Therefore we need to give >>>>>>>>>>>>>>>> developers the >>>>>>>>>>>>>>>> right capabilities and a clear path forward to ensure they’ve >>>>>>>>>>>>>>>> enough time >>>>>>>>>>>>>>>> to adopt. We aim to mitigate these risks by adopting a >>>>>>>>>>>>>>>> longer-than-usual >>>>>>>>>>>>>>>> depreciation period with console warnings/issues and a reverse >>>>>>>>>>>>>>>> origin >>>>>>>>>>>>>>>> trial. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Good news is usage is down to ~0.36% >>>>>>>>>>>>>>>> <https://chromestatus.com/metrics/feature/popularity#V8SharedArrayBufferConstructedWithoutIsolation> >>>>>>>>>>>>>>>> page loads and that other browsers have or are shipping >>>>>>>>>>>>>>>> SABs again gated behind COOP/COEP. Bad news is that Chromium >>>>>>>>>>>>>>>> was the only >>>>>>>>>>>>>>>> browser that supported SABs without COI, therefore we need to >>>>>>>>>>>>>>>> provide a >>>>>>>>>>>>>>>> migration path to not break existing sites such as Zoom or >>>>>>>>>>>>>>>> Google Earth. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Gecko: Shipped/Shipping ( >>>>>>>>>>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1312446) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> WebKit: Added COOP/COEP and SAB support recently gated >>>>>>>>>>>>>>>> behind COOP/COEP >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> No - This OT is only for desktop, as this was the only >>>>>>>>>>>>>>>> platform where SABs have been available without COOP/COEP. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Android re-enabled SABs gated behind COOP/COEP: >>>>>>>>>>>>>>>> https://chromestatus.com/feature/5171863141482496 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Tracking bug >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1144104 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Launch bug >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1138860 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Blink-dev Thread >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Planning isolation requirements (COOP/COEP) for >>>>>>>>>>>>>>>> SharedArrayBuffer >>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/_0MEXs6TJhg/m/QzWOGv7pAQAJ> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I2S >>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/1NKvbIj3dq4/m/nLcgUst-BQAJ> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://chromestatus.com/feature/4570991992766464 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>>> from it, send an email to [email protected]. >>>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBN2JhcYtpT4UYKcAfHt1e0Wz_Uxz0CkXcAntguhbmyNCA%40mail.gmail.com >>>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBN2JhcYtpT4UYKcAfHt1e0Wz_Uxz0CkXcAntguhbmyNCA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails >>>>>>>>>>>>>>> from it, send an email to [email protected]. >>>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_HkK7R3fA0pyGUm8MNjbqoBR54XrQZWKeD464qb6JNhA%40mail.gmail.com >>>>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_HkK7R3fA0pyGUm8MNjbqoBR54XrQZWKeD464qb6JNhA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>>> . >>>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>>>> >>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BN6QZsiRA7SaCapgRDnnGC7RNFZ82NRW_xadxOm4e0xNLJuNA%40mail.gmail.com >>>>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BN6QZsiRA7SaCapgRDnnGC7RNFZ82NRW_xadxOm4e0xNLJuNA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/df3c52f6-d928-404f-9d92-740edba62502n%40chromium.org >>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/df3c52f6-d928-404f-9d92-740edba62502n%40chromium.org?utm_medium=email&utm_source=footer> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to [email protected]. >>>>>>>>>> To view this discussion on the web visit >>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9dUzHffPmitk5iv%2BvKx03_6bmf9WUp6%2BKShMgyEY8xqw%40mail.gmail.com >>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9dUzHffPmitk5iv%2BvKx03_6bmf9WUp6%2BKShMgyEY8xqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "blink-dev" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> To view this discussion on the web visit >>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBNs_nxh5pKgV_W2%3DNufRsrU_LA7CW-tso_0uJm3Aswy0g%40mail.gmail.com >>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBNs_nxh5pKgV_W2%3DNufRsrU_LA7CW-tso_0uJm3Aswy0g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>> . >>>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw84WJS-Vt4S8%2BiRuHqZZaGaP58MCNCo3sCJoH%3DwxN%2BmBg%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw84WJS-Vt4S8%2BiRuHqZZaGaP58MCNCo3sCJoH%3DwxN%2BmBg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBO1%3D_WbDvMZ9oWQV01MgQ0J272G0FqCvdmgcbTEr5U4Nw%40mail.gmail.com >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBO1%3D_WbDvMZ9oWQV01MgQ0J272G0FqCvdmgcbTEr5U4Nw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWBZMRp%3DzYqC_%2Ba9BGD0%3D%2Bzi_1NUxd4MgFno7MSPG%2BzWA%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWBZMRp%3DzYqC_%2Ba9BGD0%3D%2Bzi_1NUxd4MgFno7MSPG%2BzWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUTTamjCT0tg5S4wG2fVAJ06wGuMuap0GzurfHgzRqocg%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUTTamjCT0tg5S4wG2fVAJ06wGuMuap0GzurfHgzRqocg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWZqjxDfnOk8-dwcheJ%3D%2ByX1F_wf5xtP-OiigWAyZgfbQ%40mail.gmail.com.
