LGTM2 - kudos to the team for the very detailed compat and risk
analysis, as well as proactively engaging in outreach. Good luck. :)
On 5/3/23 6:59 AM, Yoav Weiss wrote:
LGTM1
Thanks for the details analysis. The rollout plan seems reasonable,
and the low effective breakage gives me hope that this would stick.
On Friday, April 28, 2023 at 10:26:20 PM UTC+2 Ayu Ishii wrote:
Contact emails [email protected] <mailto:[email protected]>,
[email protected] <mailto:[email protected]>
Specification https://www.w3.org/TR/webdatabase
<https://www.w3.org/TR/webdatabase>
Design docs
https://developer.chrome.com/blog/deprecating-web-sql
<https://developer.chrome.com/blog/deprecating-web-sql>
[Google Internal]
https://docs.google.com/document/d/1bTj_nDqbdvE102sCm3KuwvN5c_HneLNPl9mmPeUjG4M/edit?usp=sharing
<https://docs.google.com/document/d/1bTj_nDqbdvE102sCm3KuwvN5c_HneLNPl9mmPeUjG4M/edit?usp=sharing>
[Google Internal]
https://docs.google.com/document/d/1CDdEO65pCIo60NM8CWHNNN7EunJ-wd8v1dGUxTOBJrM/edit?resourcekey=0-R0fxP199QQ-8gnMqzmQyrw
<https://docs.google.com/document/d/1CDdEO65pCIo60NM8CWHNNN7EunJ-wd8v1dGUxTOBJrM/edit?resourcekey=0-R0fxP199QQ-8gnMqzmQyrw>
SummaryThe Web SQL Database standard was first proposed in April
2009 and abandoned in November 2010. It was implemented in WebKit
in 2008 and shipped in Chrome and Safari, on both desktop and
mobile. Gecko and EdgeHTML never implemented this feature and
WebKit unshipped it in 2019. The W3C encouraged those needing web
databases to adopt Indexed Database.
Since its release, it has been incredibly difficult to keep our
users secure. SQLite was not designed to run untrusted SQL
statements, and yet with Web SQL we have to do exactly this.
Keeping up with security and stability fixes dictates updating
SQLite in Chromium and impacts the feature’s stability. In 2022
alone, we updated SQLite 11 times. This comes in direct conflict
with Web SQL’s requirement of behaving exactly as SQLite 3.6.19,
and with the lack of a SQL specification in Web SQL, we cannot
make any such compatibility guarantees.
With SQLite WASM
<https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/>as
an effective replacement for web developers requiring a relational
database, we would like to remove Web SQL entirely.
Target timeline
M101 - 123- Enterprise Policy
<https://chromeenterprise.google/policies/#WebSQLAccess>
M115- Add deprecation message
M118-123 - Deprecation trial
M119- Ship removal
Usage and Risk
Overall usage still shows a high percentage of 0.34% of page loads
<https://chromestatus.com/metrics/feature/timeline/popularity/2962>,
however our analysis has concluded that very little usage is for
actual storage.
Through analyzing sites from HTTPArchives, we found a majority of
its usage is from outdated incognito detection
<https://stackoverflow.com/questions/48169810/how-to-detect-private-browsing-in-ios-11-safari-as-well-as-older-versions-of-sa>(e.g.
Criteo <https://static.criteo.net/js/ld/ld.js>, Reddit
<https://gist.github.com/ayuishii/b64b9c41152940089f8ac480f82d4e3e>),
and fingerprinting (e.g. Fingerprintjs
<https://github.com/fingerprintjs/fingerprintjs>, evercookie
<https://github.com/samyk/evercookie>).
There are JS storage libraries that became popular around the time
that Web SQL was introduced which use the feature. Oftentimes
their usage is part of a fallback chain, where on modern browsers
other storage technologies like localStorage or IndexedDB would be
chosen before Web SQL. Examples of such libraries are localForage
<https://github.com/localForage/localForage>,
cordova-sqlite-storage
<https://github.com/storesafe/cordova-sqlite-storage>, Sencha
Touch
<https://docs.sencha.com/touch/2.4/2.4.2-apidocs/#!/api/Ext.data.proxy.Sql>.
Many, like localForage and cordova-sqlite-storage, gate its usage
on feature detection due to its availability only on Chromium
browsers. However older versions of Sencha Touch look as though
they may not have been gated. Sencha Touch has since removed its
SQL feature which depends on Web SQL in their version released in
2015
<https://docs.sencha.com/extjs/6.0.0/guides/upgrades_migrations/modern_upgrade_guide.html#upgrades_migrations-_-modern_upgrade_guide_-_ext_data_proxy_sql_has_been_removed>.
Our conclusion from our HTTPArchives analysis
<https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.tmke6f1n07cr>is
that we were only able to identify one site that is not gated by
feature detection, and one site with significant breakage. We’ve
notified open source libraries of Web SQL deprecation, and plan to
reach out to site owners we’ve classified as breakage.
Analyzing extensions usage, we’ve identified 74% of extensions
that use Web SQL
<https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.rxdibl42y942>are
from JS storage libraries like localForage
<https://github.com/localForage/localForage>and
cordova-sqlite-storage
<https://github.com/storesafe/cordova-sqlite-storage>. However
there were a higher number of usages that rely on Web SQL heavily
<https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.hrkiilgxtp1y>,
and many that are not gated by feature detection
<https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.vw9prsbuovyq>as
well. We have identified these extensions and plan to contact the
developers on this deprecation.
Further analysis for the web platform and extensions can be found
in our public facing Web SQL usage analysis doc
<https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit?usp=sharing>.
For those that would need to migrate, we expect a significant
amount of work will be required. Therefore we would like to show
deprecation messages early, and make a long deprecation trial
available to allow developers to plan for their migration before
full removal. We’ve provided steps for testing Web SQL removal for
a website
<https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing>,
and a guide to SQLite WASM
<https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/>and
for migrating a database
<https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/>for
developers to follow to start their migration.
Communications
What we’ve done so far:
*
Worked with internal partners to move major products off of
Web SQL (Completed in 2022)
*
Communicated to edu/enterprise partners of its planned removal
(Aug, 2022)
o
No usages found from this process
*
Communicated with known external partners using Web SQL on its
planned removal
o
All on board with migrating to WASM + SQLite
*
Published an article on the state of Web SQL and its
deprecation
<https://developer.chrome.com/blog/deprecating-web-sql/>(Aug,
2022)
*
Published an article on its recommended replacement, SQLite
WASM
<https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/>(Jan,
2023)
*
Removed Web SQL in third party contexts in M97
*
Removed Web SQL in non-secure contexts in M110
*
Published an article for migrating a database from Web SQL to
SQLite Wasm
<https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/>(Mar,
2023)
*
[InProgress] Communicate to identified developers in
extensions / HTTPArchives usage
Related Intents
Intent to Deprecate and Remove Web SQL in 3rd Party Contexts
<https://groups.google.com/a/chromium.org/g/blink-dev/c/TM6YDx1Hh08>
Intent to Deprecate and Remove Web SQL in Non-Secure contexts
<https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/xdcl4yc8Ihk>
Blink component Blink>Storage>Web SQL
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3EWebSQL>
Search tags Web SQL <https://chromestatus.com/features#tags:websql>
Risks
Interoperability and Compatibility Removing Web SQL will align
Chromium based browser behavior to all other browser engines.
Currently Chromium is the only browser engine that supports Web
SQL. Because of this, most websites gate the usage of Web SQL by
feature detection.
Gecko: N/A Never implemented
WebKit: Unshipped
(https://github.com/WebKit/WebKit/commit/761bce943c0696a6bb93116eb0576ed07dbfdc65
<https://github.com/WebKit/WebKit/commit/761bce943c0696a6bb93116eb0576ed07dbfdc65>)
Removed in 2019
Web developers: N/A
Security Currently SQLite in Chromium is updated very frequently,
sometimes in multiple consecutive milestones. The frequency is
defined by stability or security issues found in the SQLite
library. Bad security issues have historically surfaced such as
Magellan 2.0
<https://threatpost.com/google-chrome-affected-by-magellan-2-0-flaws/151446/>that
had been publicized in tech news in 2019, among others.The storage
team needs to respond quickly to these issues, and update the
library when issues are found with help from the SQLite team and
Release and Security TPMs.
Removing Web SQL will permanently remove the attack vector of
malicious SQL statements.
WebView application risksWhile we see a 0.02% usage on WebView, we
are unable to verify the nature of this usage. However now that
Deprecation Trials are supported for WebView, we think the risk of
removal is significantly reduced.
Goals for Deprecation Trial
The goal for the deprecation trial is to allow for a 6 month
window after removal to let developers remove their usage of Web
SQL. We may extend this window depending on feedback from
participating developers. Our recommendation is for developers to
switch to SQLite compiled to WebAssembly backed by the Origin
Private File System. We’ve published guidance for this migration
<https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/>in
our developer blog.
Debuggability Planning to add a deprecation message in the console.
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes, removal in all
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No (Web SQL tested in web_tests
<https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/storage/websql/>)
DevTrial instructions Steps on how to test your site with Web SQL
removed.
https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing
<https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing>
Flag name web-sql-access
Requires code in //chrome? False
Tracking bug https://crbug.com/695592 <https://crbug.com/695592>
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5134293578285056
<https://chromestatus.com/feature/5134293578285056>
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b2ba1236-353a-7492-9bbe-5ce92b15d070%40chromium.org.
