Assess compatibility risk of using [SecureContext] #15
Comments
|
This is one of, I believe, two APIs on the platform which do explicit secure context checks instead of using [SecureContext]. This is causing minor integration problems for other features like prerendering. I think your argument in the OP indicates it'd be better to use [SecureContext]. That is, non-secure HTTP pages would be better off going down the "this browser does not suppport the API" path, and treating it similar to they do Firefox and Safari, instead of calling the API and getting surprised by a rejected promise. |
|
It’s been a while that argument was made so I’ll happily align with the modern convention that does not cause prerendering problems. |
|
To be clear, it's only causing minor problems for prerendering, and we can work around it. I think aligning would be ideal, but as always it's a tradeoff of how much effort it's worth, especially given potential compat risks. |
|
Non-secure HTTP usage is now at ~0.38% per https://www.chromestatus.com/metrics/feature/popularity#BatteryStatusInsecureOrigin Is that still too high to make this change? |
|
Oh, it looks like Blink doesn't implement the spec's secure context restriction at all, wow. So there are three possible behaviors:
That's... tricky. I guess my preference would be to remove the secure context restriction from the spec entirely, add a warning box pointing to this issue, and then as a separate effort, try to move the spec and implementation toward (3), if we think it's worth the engineering effort? |
|
The move to HTTPS across the web over the last ~4 years should mitigate the compat risk imposed on legitimate sites I raised in the OP back in 2017. Given this new data, I'd be supportive of the two-stage plan outlined by @domenic. @domenic, do you want to amend #30 to align with the implementation and get it all reviewed at once? Can take another PR too. Can you also get Blink owners sign-off for the plan? Thanks for your efforts in modernizing this spec! |
|
I've amended #30 in such a way!
Probably the best way to do that is with an Intent to Ship; I don't have any special powers there. I suspect they'd like to see some analysis of what type of breakage this would cause, e.g. looking at the sites listed in https://www.chromestatus.com/metrics/feature/timeline/popularity/2199 per HTTPArchive in a [SecureContext] build and seeing if they are visibly broken. |
|
@domenic thanks! Let’s see if I can summon @mounirlamouri to review #30. He might have some thoughts on the ItS. |
|
I support announcing a depreciation schedule for non-SecureContext access to the |
|
cc @timvolodine as OWNER of third_party/blink/renderer/modules/battery in Blink. I can try to do that myself otherwise. |
|
Latest update: starting with Chromium M99 (or maybe M100, depending on what the API owners there say), the browser will show a deprecation warning whenever the Battery Status API (i.e. chromestatus.com entry, blink-dev discussion From a spec and web-platform-tests perspective, I wonder if it makes sense to update things immediately or somehow make the changes more in sync with Blink, which is the only engine implementing this API at the moment. This would mean landing any changes adding |
|
From a W3C process perspective, we’d land the spec and w-p-t changes as soon as there’s consensus in the WG. We seem to be good on that front: the issue has been open since 2017, discussed at our meetings, and we’ve had a warning in https://www.w3.org/TR/battery-status/#extensions-to-the-navigator-interface for a year with no push back for the proposal. OTOH, if it is problematic to have Chromium w-p-t show some red until the Blink patches land, we can also consider other options, such as land spec changes now and coordinate w-p-t with Blink. Per our charter, we will follow a test as you commit approarch for CR and above. Recommended, but not mandatory for earlier maturity levels. In any case, I think we should include a note to the spec about this deprecation. Thanks for working on this, @rakuco! |
Yep, that's what I was thinking. I was asking about this because even though the chance is small, there's still the possibility that there is pushback between Chrome 99 and 102 and we are forced to rethink the deprecation and [SecureContext] change in Blink, in which case the spec would remain out of sync with its only implementation for an indefinite period of time. |
|
In that scenario, it is possible to revert the spec and w-p-t changes in this particular case. I hope we don’t need to since we’ve done our homework. But we know from past experience that with deprecations there can be surprises. With multiple implementations or more complex change/interactions this would be a more involved process. |
This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15.
This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15.
…face. In other words, stop exposing this API to insecure origins. This has been discussed since at least 2016 (see #5). #11 made access from an insecure origin throw a SecurityError at a time when the `[SecureContext]` Web IDL extended attribute was not widespread. Unfortunately, the spec change was not accompanied by a change in the implementation(s) and, to this day, Blink's implementation (the only remaining one) continues to expose the API to insecure origins. Years later, #30 was added in the context of the discussions in #15 where it was noted that the spec was still manually throwing a SecurityError when checking if it was called by a secure origin. Besides stopping throwing a SecurityError (which was never implemented), #30 also recognized the current situation by noting that the API _should_ use `[SecureContext]` but did not because it only made sense to do so when the implementation was updated accordingly. This change finally adds `[SecureContext]` to the spec's Web IDL because I am also handling the Blink implementation [1][2]: starting with Chrome 99, users will be warned that using the Battery Status API in an insecure origin is deprecated, and starting with Chrome 103 doing so will no longer be possible. [1] https://chromestatus.com/feature/4878376799043584 [2] https://groups.google.com/a/chromium.org/g/blink-dev/c/w80tJL8uEV8/m/PfrHlvtgAgAJ From a testing perspective, there isn't much to be done: - web-platform-tests/wpt#5871 changed the existing tests to run in HTTPS. - web-platform-tests/wpt#32556 removed the test for the SecurityError exception that never passed. Fixes #15
…face. In other words, stop exposing this API to insecure origins. Even though this API is not new, it provides user information that, transmitted insecurely, can pose a risk to user privacy. See https://w3ctag.github.io/design-principles/#secure-context for more information on the guidelines we are trying to follow. This has been discussed since at least 2016 (see #5). #11 made access from an insecure origin throw a SecurityError at a time when the `[SecureContext]` Web IDL extended attribute was not widespread. Unfortunately, the spec change was not accompanied by a change in the implementation(s) and, to this day, Blink's implementation (the only remaining one) continues to expose the API to insecure origins. Years later, #30 was added in the context of the discussions in #15 where it was noted that the spec was still manually throwing a SecurityError when checking if it was called by a secure origin. Besides stopping throwing a SecurityError (which was never implemented), #30 also recognized the current situation by noting that the API _should_ use `[SecureContext]` but did not because it only made sense to do so when the implementation was updated accordingly. This change finally adds `[SecureContext]` to the spec's Web IDL because I am also handling the Blink implementation [1][2]: starting with Chrome 99, users will be warned that using the Battery Status API in an insecure origin is deprecated, and starting with Chrome 103 doing so will no longer be possible. [1] https://chromestatus.com/feature/4878376799043584 [2] https://groups.google.com/a/chromium.org/g/blink-dev/c/w80tJL8uEV8/m/PfrHlvtgAgAJ From a testing perspective, there isn't much to be done: - web-platform-tests/wpt#5871 changed the existing tests to run in HTTPS. - web-platform-tests/wpt#32556 removed the test for the SecurityError exception that never passed. Fixes #15
…face. In other words, stop exposing this API to insecure origins. Even though this API is not new, it provides user information that, transmitted insecurely, can pose a risk to user privacy. See https://w3ctag.github.io/design-principles/#secure-context for more information on the guidelines we are trying to follow. This has been discussed since at least 2016 (see #5). #11 made access from an insecure origin throw a SecurityError at a time when the `[SecureContext]` Web IDL extended attribute was not widespread. Unfortunately, the spec change was not accompanied by a change in the implementation(s) and, to this day, Blink's implementation (the only remaining one) continues to expose the API to insecure origins. Years later, #30 was added in the context of the discussions in #15 where it was noted that the spec was still manually throwing a SecurityError when checking if it was called by a secure origin. Besides stopping throwing a SecurityError (which was never implemented), #30 also recognized the current situation by noting that the API _should_ use `[SecureContext]` but did not because it only made sense to do so when the implementation was updated accordingly. This change finally adds `[SecureContext]` to the spec's Web IDL because I am also handling the Blink implementation [1][2]: starting with Chrome 99, users will be warned that using the Battery Status API in an insecure origin is deprecated, and starting with Chrome 103 doing so will no longer be possible. [1] https://chromestatus.com/feature/4878376799043584 [2] https://groups.google.com/a/chromium.org/g/blink-dev/c/w80tJL8uEV8/m/PfrHlvtgAgAJ From a testing perspective, there isn't much to be done: - web-platform-tests/wpt#5871 changed the existing tests to run in HTTPS. - web-platform-tests/wpt#32556 removed the test for the SecurityError exception that never passed. Fixes #15
…face. (#51) In other words, stop exposing this API to insecure origins. Even though this API is not new, it provides user information that, transmitted insecurely, can pose a risk to user privacy. See https://w3ctag.github.io/design-principles/#secure-context for more information on the guidelines we are trying to follow. This has been discussed since at least 2016 (see #5). #11 made access from an insecure origin throw a SecurityError at a time when the `[SecureContext]` Web IDL extended attribute was not widespread. Unfortunately, the spec change was not accompanied by a change in the implementation(s) and, to this day, Blink's implementation (the only remaining one) continues to expose the API to insecure origins. Years later, #30 was added in the context of the discussions in #15 where it was noted that the spec was still manually throwing a SecurityError when checking if it was called by a secure origin. Besides stopping throwing a SecurityError (which was never implemented), #30 also recognized the current situation by noting that the API _should_ use `[SecureContext]` but did not because it only made sense to do so when the implementation was updated accordingly. This change finally adds `[SecureContext]` to the spec's Web IDL because I am also handling the Blink implementation [1][2]: starting with Chrome 99, users will be warned that using the Battery Status API in an insecure origin is deprecated, and starting with Chrome 103 doing so will no longer be possible. [1] https://chromestatus.com/feature/4878376799043584 [2] https://groups.google.com/a/chromium.org/g/blink-dev/c/w80tJL8uEV8/m/PfrHlvtgAgAJ From a testing perspective, there isn't much to be done: - web-platform-tests/wpt#5871 changed the existing tests to run in HTTPS. - web-platform-tests/wpt#32556 removed the test for the SecurityError exception that never passed. Fixes #15
…ests#32556) This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15.
…context.html., a=testonly Automatic update from web-platform-tests battery status: Remove battery-insecure-context.html. (#32556) This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15. -- wpt-commits: aa8ded0ca6ef536aa74719a73d7175499f0a2cd8 wpt-pr: 32556
…ests#32556) This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15.
…context.html., a=testonly Automatic update from web-platform-tests battery status: Remove battery-insecure-context.html. (#32556) This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15. -- wpt-commits: aa8ded0ca6ef536aa74719a73d7175499f0a2cd8 wpt-pr: 32556
…context.html., a=testonly Automatic update from web-platform-tests battery status: Remove battery-insecure-context.html. (#32556) This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15. -- wpt-commits: aa8ded0ca6ef536aa74719a73d7175499f0a2cd8 wpt-pr: 32556
…context.html., a=testonly Automatic update from web-platform-tests battery status: Remove battery-insecure-context.html. (#32556) This test does not reflect either the current spec or any implementation. w3c/battery#30 removed the bits from the spec that mandated throwing a SecurityError when the API was used in an insecure origin. Blink does not perform any checks for a security context anyway, although the plan is to switch spec and implementation to using [SecureContext] in the future, as tracked in w3c/battery#15. -- wpt-commits: aa8ded0ca6ef536aa74719a73d7175499f0a2cd8 wpt-pr: 32556
If we'd add
[SecureContext]topartial interface NavigatorandBatteryManageras is the current trend, we could drop the following prose:However, this would break any feature detection code that relies on checking the existence of properties or objects, e.g.:
I guess nearly everyone using this API must do some sort of feature detection.
My hunch is we want to close this issue as won't fix citing backward compatibility concerns.
Thoughts?
The text was updated successfully, but these errors were encountered: