LGTM1 Thanks for the details analysis. The rollout plan seems reasonable, and the low effective breakage gives me hope that this would stick.
On Friday, April 28, 2023 at 10:26:20 PM UTC+2 Ayu Ishii wrote: > Contact emails [email protected], [email protected] > > Specification https://www.w3.org/TR/webdatabase > > Design docs > https://developer.chrome.com/blog/deprecating-web-sql > > [Google Internal] > https://docs.google.com/document/d/1bTj_nDqbdvE102sCm3KuwvN5c_HneLNPl9mmPeUjG4M/edit?usp=sharing > [Google Internal] > https://docs.google.com/document/d/1CDdEO65pCIo60NM8CWHNNN7EunJ-wd8v1dGUxTOBJrM/edit?resourcekey=0-R0fxP199QQ-8gnMqzmQyrw > > Summary > The Web SQL Database standard was first proposed in April 2009 and > abandoned in November 2010. It was implemented in WebKit in 2008 and > shipped in Chrome and Safari, on both desktop and mobile. Gecko and > EdgeHTML never implemented this feature and WebKit unshipped it in 2019. > The W3C encouraged those needing web databases to adopt Indexed Database. > Since its release, it has been incredibly difficult to keep our users > secure. SQLite was not designed to run untrusted SQL statements, and yet > with Web SQL we have to do exactly this. Keeping up with security and > stability fixes dictates updating SQLite in Chromium and impacts the > feature’s stability. In 2022 alone, we updated SQLite 11 times. This comes > in direct conflict with Web SQL’s requirement of behaving exactly as SQLite > 3.6.19, and with the lack of a SQL specification in Web SQL, we cannot make > any such compatibility guarantees. > With SQLite WASM > <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> > > as an effective replacement for web developers requiring a relational > database, we would like to remove Web SQL entirely. > > Target timeline > > M101 - 123 - Enterprise Policy > <https://chromeenterprise.google/policies/#WebSQLAccess> > > M115 - Add deprecation message > > M118-123 - Deprecation trial > > M119 - Ship removal > > Usage and Risk > > Overall usage still shows a high percentage of 0.34% of page loads > <https://chromestatus.com/metrics/feature/timeline/popularity/2962>, > however our analysis has concluded that very little usage is for actual > storage. > > Through analyzing sites from HTTPArchives, we found a majority of its > usage is from outdated incognito detection > <https://stackoverflow.com/questions/48169810/how-to-detect-private-browsing-in-ios-11-safari-as-well-as-older-versions-of-sa> > > (e.g. Criteo <https://static.criteo.net/js/ld/ld.js>, Reddit > <https://gist.github.com/ayuishii/b64b9c41152940089f8ac480f82d4e3e>), > and fingerprinting (e.g. Fingerprintjs > <https://github.com/fingerprintjs/fingerprintjs>, evercookie > <https://github.com/samyk/evercookie>). > > There are JS storage libraries that became popular around the time that > Web SQL was introduced which use the feature. Oftentimes their usage is > part of a fallback chain, where on modern browsers other storage > technologies like localStorage or IndexedDB would be chosen before Web SQL. > Examples of such libraries are localForage > <https://github.com/localForage/localForage>, cordova-sqlite-storage > <https://github.com/storesafe/cordova-sqlite-storage>, Sencha Touch > <https://docs.sencha.com/touch/2.4/2.4.2-apidocs/#!/api/Ext.data.proxy.Sql>. > Many, like localForage and cordova-sqlite-storage, gate its usage on > feature detection due to its availability only on Chromium browsers. > However older versions of Sencha Touch look as though they may not have > been gated. Sencha Touch has since removed its SQL feature which depends on > Web SQL in their version released in 2015 > <https://docs.sencha.com/extjs/6.0.0/guides/upgrades_migrations/modern_upgrade_guide.html#upgrades_migrations-_-modern_upgrade_guide_-_ext_data_proxy_sql_has_been_removed> > . > > Our conclusion from our HTTPArchives analysis > <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.tmke6f1n07cr> > > is that we were only able to identify one site that is not gated by feature > detection, and one site with significant breakage. We’ve notified open > source libraries of Web SQL deprecation, and plan to reach out to site > owners we’ve classified as breakage. > > Analyzing extensions usage, we’ve identified 74% of extensions that use > Web SQL > <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.rxdibl42y942> > > are from JS storage libraries like localForage > <https://github.com/localForage/localForage> and cordova-sqlite-storage > <https://github.com/storesafe/cordova-sqlite-storage>. However there were > a higher number of usages that rely on Web SQL heavily > <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.hrkiilgxtp1y>, > > and many that are not gated by feature detection > <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.vw9prsbuovyq> > > as well. We have identified these extensions and plan to contact the > developers on this deprecation. > > Further analysis for the web platform and extensions can be found in our > public facing Web SQL usage analysis doc > <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit?usp=sharing> > . > > For those that would need to migrate, we expect a significant amount of > work will be required. Therefore we would like to show deprecation messages > early, and make a long deprecation trial available to allow developers to > plan for their migration before full removal. We’ve provided steps for > testing Web SQL removal for a website > <https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing>, > > and a guide to SQLite WASM > <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> > > and for migrating a database > <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> for > developers to follow to start their migration. > > Communications > > What we’ve done so far: > > - > > Worked with internal partners to move major products off of Web SQL > (Completed in 2022) > - > > Communicated to edu/enterprise partners of its planned removal (Aug, > 2022) > - > > No usages found from this process > - > > Communicated with known external partners using Web SQL on its planned > removal > - > > All on board with migrating to WASM + SQLite > - > > Published an article on the state of Web SQL and its deprecation > <https://developer.chrome.com/blog/deprecating-web-sql/> (Aug, 2022) > - > > Published an article on its recommended replacement, SQLite WASM > > <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> > > (Jan, 2023) > - > > Removed Web SQL in third party contexts in M97 > - > > Removed Web SQL in non-secure contexts in M110 > - > > Published an article for migrating a database from Web SQL to SQLite > Wasm <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> > (Mar, 2023) > - > > [InProgress] Communicate to identified developers in extensions / > HTTPArchives usage > > > Related Intents > > Intent to Deprecate and Remove Web SQL in 3rd Party Contexts > <https://groups.google.com/a/chromium.org/g/blink-dev/c/TM6YDx1Hh08> > > Intent to Deprecate and Remove Web SQL in Non-Secure contexts > <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/xdcl4yc8Ihk> > > Blink component Blink>Storage>Web SQL > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3EWebSQL> > Search tags Web SQL <https://chromestatus.com/features#tags:websql> > Risks > Interoperability and Compatibility Removing Web SQL will align Chromium > based browser behavior to all other browser engines. Currently Chromium is > the only browser engine that supports Web SQL. Because of this, most > websites gate the usage of Web SQL by feature detection. > Gecko: N/A Never implemented > WebKit: Unshipped ( > https://github.com/WebKit/WebKit/commit/761bce943c0696a6bb93116eb0576ed07dbfdc65) > > Removed in 2019 > Web developers: N/A > > Security Currently SQLite in Chromium is updated very frequently, > sometimes in multiple consecutive milestones. The frequency is defined by > stability or security issues found in the SQLite library. Bad security > issues have historically surfaced such as Magellan 2.0 > <https://threatpost.com/google-chrome-affected-by-magellan-2-0-flaws/151446/> > that had been publicized in tech news in 2019, among others.The storage > team needs to respond quickly to these issues, and update the library when > issues are found with help from the SQLite team and Release and Security > TPMs. > Removing Web SQL will permanently remove the attack vector of malicious > SQL statements. > WebView application risks > While we see a 0.02% usage on WebView, we are unable to verify the nature > of this usage. However now that Deprecation Trials are supported for > WebView, we think the risk of removal is significantly reduced. > Goals for Deprecation Trial > > The goal for the deprecation trial is to allow for a 6 month window after > removal to let developers remove their usage of Web SQL. We may extend this > window depending on feedback from participating developers. Our > recommendation is for developers to switch to SQLite compiled to > WebAssembly backed by the Origin Private File System. We’ve published > guidance > for this migration > <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> > > in our developer blog. > > Debuggability Planning to add a deprecation message in the console. > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)? Yes, removal in all > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>? > > No (Web SQL tested in web_tests > <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/storage/websql/>) > > > DevTrial instructions Steps on how to test your site with Web SQL > removed. > https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing > > Flag name web-sql-access > Requires code in //chrome? False > Tracking bug https://crbug.com/695592 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5134293578285056 > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org.
