Here's the PR that updates the removal timeline for the developer-facing article: https://github.com/GoogleChrome/developer.chrome.com/pull/6187.
On Wed, May 3, 2023 at 11:46 AM Ayu Ishii <[email protected]> wrote: > Thank you for the review & approvals! > We will update the thread if there are changes to the timeline. > > Best, > Ayu > > On Wednesday, May 3, 2023 at 8:40:35 AM UTC-7 Mike West wrote: > >> LGTM3. Good luck with the launch, I've been excited about this for a >> while and I'm looking forward to reducing our attack surface. >> >> -mike >> >> >> On Wed, May 3, 2023 at 3:21 PM Mike Taylor <[email protected]> >> wrote: >> >>> LGTM2 - kudos to the team for the very detailed compat and risk >>> analysis, as well as proactively engaging in outreach. Good luck. :) >>> On 5/3/23 6:59 AM, Yoav Weiss wrote: >>> >>> LGTM1 >>> >>> Thanks for the details analysis. The rollout plan seems reasonable, and >>> the low effective breakage gives me hope that this would stick. >>> >>> On Friday, April 28, 2023 at 10:26:20 PM UTC+2 Ayu Ishii wrote: >>> >>>> Contact emails [email protected], [email protected] >>>> Specification https://www.w3.org/TR/webdatabase >>>> Design docs >>>> https://developer.chrome.com/blog/deprecating-web-sql >>>> >>>> [Google Internal] >>>> https://docs.google.com/document/d/1bTj_nDqbdvE102sCm3KuwvN5c_HneLNPl9mmPeUjG4M/edit?usp=sharing >>>> [Google Internal] >>>> https://docs.google.com/document/d/1CDdEO65pCIo60NM8CWHNNN7EunJ-wd8v1dGUxTOBJrM/edit?resourcekey=0-R0fxP199QQ-8gnMqzmQyrw >>>> >>>> Summary The Web SQL Database standard was first proposed in April 2009 >>>> and abandoned in November 2010. It was implemented in WebKit in 2008 and >>>> shipped in Chrome and Safari, on both desktop and mobile. Gecko and >>>> EdgeHTML never implemented this feature and WebKit unshipped it in 2019. >>>> The W3C encouraged those needing web databases to adopt Indexed Database. >>>> Since its release, it has been incredibly difficult to keep our users >>>> secure. SQLite was not designed to run untrusted SQL statements, and yet >>>> with Web SQL we have to do exactly this. Keeping up with security and >>>> stability fixes dictates updating SQLite in Chromium and impacts the >>>> feature’s stability. In 2022 alone, we updated SQLite 11 times. This comes >>>> in direct conflict with Web SQL’s requirement of behaving exactly as SQLite >>>> 3.6.19, and with the lack of a SQL specification in Web SQL, we cannot make >>>> any such compatibility guarantees. >>>> With SQLite WASM >>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>> as an effective replacement for web developers requiring a relational >>>> database, we would like to remove Web SQL entirely. >>>> >>>> Target timeline >>>> >>>> M101 - 123 - Enterprise Policy >>>> <https://chromeenterprise.google/policies/#WebSQLAccess> >>>> >>>> M115 - Add deprecation message >>>> >>>> M118-123 - Deprecation trial >>>> >>>> M119 - Ship removal >>>> >>>> Usage and Risk >>>> >>>> Overall usage still shows a high percentage of 0.34% of page loads >>>> <https://chromestatus.com/metrics/feature/timeline/popularity/2962>, >>>> however our analysis has concluded that very little usage is for actual >>>> storage. >>>> >>>> Through analyzing sites from HTTPArchives, we found a majority of its >>>> usage is from outdated incognito detection >>>> <https://stackoverflow.com/questions/48169810/how-to-detect-private-browsing-in-ios-11-safari-as-well-as-older-versions-of-sa> >>>> (e.g. Criteo <https://static.criteo.net/js/ld/ld.js>, Reddit >>>> <https://gist.github.com/ayuishii/b64b9c41152940089f8ac480f82d4e3e>), >>>> and fingerprinting (e.g. Fingerprintjs >>>> <https://github.com/fingerprintjs/fingerprintjs>, evercookie >>>> <https://github.com/samyk/evercookie>). >>>> >>>> There are JS storage libraries that became popular around the time that >>>> Web SQL was introduced which use the feature. Oftentimes their usage is >>>> part of a fallback chain, where on modern browsers other storage >>>> technologies like localStorage or IndexedDB would be chosen before Web SQL. >>>> Examples of such libraries are localForage >>>> <https://github.com/localForage/localForage>, cordova-sqlite-storage >>>> <https://github.com/storesafe/cordova-sqlite-storage>, Sencha Touch >>>> <https://docs.sencha.com/touch/2.4/2.4.2-apidocs/#!/api/Ext.data.proxy.Sql>. >>>> Many, like localForage and cordova-sqlite-storage, gate its usage on >>>> feature detection due to its availability only on Chromium browsers. >>>> However older versions of Sencha Touch look as though they may not have >>>> been gated. Sencha Touch has since removed its SQL feature which depends on >>>> Web SQL in their version released in 2015 >>>> <https://docs.sencha.com/extjs/6.0.0/guides/upgrades_migrations/modern_upgrade_guide.html#upgrades_migrations-_-modern_upgrade_guide_-_ext_data_proxy_sql_has_been_removed> >>>> . >>>> >>>> Our conclusion from our HTTPArchives analysis >>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.tmke6f1n07cr> >>>> is that we were only able to identify one site that is not gated by feature >>>> detection, and one site with significant breakage. We’ve notified open >>>> source libraries of Web SQL deprecation, and plan to reach out to site >>>> owners we’ve classified as breakage. >>>> >>>> Analyzing extensions usage, we’ve identified 74% of extensions that >>>> use Web SQL >>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.rxdibl42y942> >>>> are from JS storage libraries like localForage >>>> <https://github.com/localForage/localForage> and cordova-sqlite-storage >>>> <https://github.com/storesafe/cordova-sqlite-storage>. However there >>>> were a higher number of usages that rely on Web SQL heavily >>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.hrkiilgxtp1y>, >>>> and many that are not gated by feature detection >>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit#bookmark=id.vw9prsbuovyq> >>>> as well. We have identified these extensions and plan to contact the >>>> developers on this deprecation. >>>> >>>> Further analysis for the web platform and extensions can be found in >>>> our public facing Web SQL usage analysis doc >>>> <https://docs.google.com/document/d/18AGCT9YgfacSxZ5pPAkym6iUWGl72zVXkELKMQKnEPM/edit?usp=sharing> >>>> . >>>> >>>> For those that would need to migrate, we expect a significant amount of >>>> work will be required. Therefore we would like to show deprecation messages >>>> early, and make a long deprecation trial available to allow developers to >>>> plan for their migration before full removal. We’ve provided steps for >>>> testing Web SQL removal for a website >>>> <https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing>, >>>> and a guide to SQLite WASM >>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>> and for migrating a database >>>> <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> for >>>> developers to follow to start their migration. >>>> >>>> Communications >>>> >>>> What we’ve done so far: >>>> >>>> - >>>> >>>> Worked with internal partners to move major products off of Web SQL >>>> (Completed in 2022) >>>> - >>>> >>>> Communicated to edu/enterprise partners of its planned removal >>>> (Aug, 2022) >>>> - >>>> >>>> No usages found from this process >>>> - >>>> >>>> Communicated with known external partners using Web SQL on its >>>> planned removal >>>> - >>>> >>>> All on board with migrating to WASM + SQLite >>>> - >>>> >>>> Published an article on the state of Web SQL and its deprecation >>>> <https://developer.chrome.com/blog/deprecating-web-sql/> (Aug, 2022) >>>> - >>>> >>>> Published an article on its recommended replacement, SQLite WASM >>>> >>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>> (Jan, 2023) >>>> - >>>> >>>> Removed Web SQL in third party contexts in M97 >>>> - >>>> >>>> Removed Web SQL in non-secure contexts in M110 >>>> - >>>> >>>> Published an article for migrating a database from Web SQL to >>>> SQLite Wasm >>>> <https://developer.chrome.com/blog/from-web-sql-to-sqlite-wasm/> >>>> (Mar, 2023) >>>> - >>>> >>>> [InProgress] Communicate to identified developers in extensions / >>>> HTTPArchives usage >>>> >>>> >>>> Related Intents >>>> >>>> Intent to Deprecate and Remove Web SQL in 3rd Party Contexts >>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/TM6YDx1Hh08> >>>> >>>> Intent to Deprecate and Remove Web SQL in Non-Secure contexts >>>> <https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/xdcl4yc8Ihk> >>>> >>>> Blink component Blink>Storage>Web SQL >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3EWebSQL> >>>> Search tags Web SQL <https://chromestatus.com/features#tags:websql> >>>> Risks >>>> Interoperability and Compatibility Removing Web SQL will align >>>> Chromium based browser behavior to all other browser engines. Currently >>>> Chromium is the only browser engine that supports Web SQL. Because of this, >>>> most websites gate the usage of Web SQL by feature detection. >>>> Gecko: N/A Never implemented >>>> WebKit: Unshipped ( >>>> https://github.com/WebKit/WebKit/commit/761bce943c0696a6bb93116eb0576ed07dbfdc65) >>>> Removed in 2019 >>>> Web developers: N/A >>>> >>>> Security Currently SQLite in Chromium is updated very frequently, >>>> sometimes in multiple consecutive milestones. The frequency is defined by >>>> stability or security issues found in the SQLite library. Bad security >>>> issues have historically surfaced such as Magellan 2.0 >>>> <https://threatpost.com/google-chrome-affected-by-magellan-2-0-flaws/151446/> >>>> that had been publicized in tech news in 2019, among others.The storage >>>> team needs to respond quickly to these issues, and update the library when >>>> issues are found with help from the SQLite team and Release and Security >>>> TPMs. >>>> Removing Web SQL will permanently remove the attack vector of malicious >>>> SQL statements. >>>> WebView application risks While we see a 0.02% usage on WebView, we >>>> are unable to verify the nature of this usage. However now that Deprecation >>>> Trials are supported for WebView, we think the risk of removal is >>>> significantly reduced. >>>> Goals for Deprecation Trial >>>> >>>> The goal for the deprecation trial is to allow for a 6 month window >>>> after removal to let developers remove their usage of Web SQL. We may >>>> extend this window depending on feedback from participating developers. Our >>>> recommendation is for developers to switch to SQLite compiled to >>>> WebAssembly backed by the Origin Private File System. We’ve published >>>> guidance >>>> for this migration >>>> <https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system/> >>>> in our developer blog. >>>> >>>> Debuggability Planning to add a deprecation message in the console. >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)? Yes, removal in >>>> all >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>? >>>> No (Web SQL tested in web_tests >>>> <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/storage/websql/>) >>>> >>>> DevTrial instructions Steps on how to test your site with Web SQL >>>> removed. >>>> https://docs.google.com/document/d/1EMJSmKDVGVv0sbsRDz1b8-tTkzv9yi4S30-rzEiK9AQ/edit?usp=sharing >>>> >>>> Flag name web-sql-access >>>> Requires code in //chrome? False >>>> Tracking bug https://crbug.com/695592 >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5134293578285056 >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0b0f9e3a-c44a-4029-968b-5c3f2d77622fn%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b2ba1236-353a-7492-9bbe-5ce92b15d070%40chromium.org >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b2ba1236-353a-7492-9bbe-5ce92b15d070%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f1b57ff4-7b66-4587-a57a-fda643c8073fn%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f1b57ff4-7b66-4587-a57a-fda643c8073fn%40chromium.org?utm_medium=email&utm_source=footer> > . > -- Thomas Steiner, PhD—Developer Relations Engineer (https://blog.tomayac.com, https://twitter.com/tomayac) Google Germany GmbH, ABC-Str. 19, 20354 Hamburg, Germany Geschäftsführer: Paul Manicle, Liana Sebastian Registergericht und -nummer: Hamburg, HRB 86891 ----- BEGIN PGP SIGNATURE ----- Version: GnuPG v2.3.4 (GNU/Linux) iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck0fjumBl3DCharaCTersAttH3b0ttom. hTtPs://xKcd.cOm/1181/ ----- END PGP SIGNATURE ----- -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALgRrLm9EZPhGfRdHFvzYLR_bCMUfh2FLoiKOnweLcdB4bxF8Q%40mail.gmail.com.
