-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phasing out document.domain #829
Comments
@mikewest, in w3c/webappsec-secure-contexts#10 (comment) you wrote about existing features requiring secure contexts. Did you add use counters for that as you hoped? A generic With usage around 5% I must say I'm a bit skeptical that breaking |
@foolip this proposal is meant to be completely orthogonal to secure contexts. Perhaps at some point due to this existing for a while we can consider various optimizations, but for now this would only be about driving usage of |
If |
@foolip IIRC it's used by Facebook which is probably a large portion of that 5%. Their engineers have previously expressed that it's a low-priority work item for them to get rid of it. |
@domenic, right, so getting an idea of the usage excluding Facebook would be a top priority. Either by asking very nicely for them to not use it, or by counting them in a separate bucket. @bholley, if there are any partial goals along the way it'd be interesting to think about how to get there. To spell out my concern, I worry about speculative deprecation of bad APIs (like sync XHR) where the path to removal isn't at all clear. |
It's a low priority for Facebook (and others) because there's not an incentive for them to get rid of it. We could probably cajole Facebook, but I'm less optimistic about others (like, say, Ebay). The only reason people are using document.domain is because they find it more convenient than postMessage. The goal here is to add inconvenience to tilt the balance. I don't think there are any useful partial milestones. I think document.domain is probably more like showModalDialog and less like sync XHR - that is to say, it's more likely to be used system that are maintained (if potentially crusty). To be clear, document.domain is less of a security problem in Gecko than it is in other engines, and the biggest victim is probably the spec, which needs to bend over backwards to support it. So while I'm enthusiastic about deprecating it, I'm only interested in pursuing it if we have buy-in across the board. |
I note that a lot of these sites have independent scripts that all set |
Given the httparchive data, I think we should not disable new features when |
It sure looks like a lot of those hits are third-party scripts, mostly ads and widgets. The embedding page will have no control over these, and if they can't use some new features without dropping those scripts they'd probably not be too impressed by the incentives. Removing or somehow neutering the |
No, it would mean that authors would have to switch from document.domain at the same time they add the new feature, which is actually a quite reasonable request of them. |
I don't think it will seem very reasonable if there isn't a clear connection between the new API and |
We'd still like to get rid of document.domain, but rather than conflating that and secure contexts, that work has been split out into: whatwg/html#829 See also the discussion at: w3c#10
@foolip: I'm not scheming anything for Blink. Like @bholley, I see this as a really nice thing to do, but I don't have any urgent issue that's driving me towards drastic action. I think @briansmith is right, though; predicating new features on an old feature's deprecation seems like a reasonable thing to consider. If we do, however, perhaps we should be thinking bigger than |
The mechanism described in OP can easily be generalized to also cover |
Being able to somehow opt-in to disabling bad legacy features seems reasonable, so long as it doesn't prevent using new features in legacy sites that use third party scripts that happen to set |
@zcorpan that does not really drive down usage. Your position seems to be that sites won't migrate and instead do something that does not involve the web, but I wonder if that's really true. Those sites might get competitors that will migrate and offer better experiences due to these new APIs. They might themselves realize it's worth the cost. Mixed content blocking is also something we enforced because it's the right thing to do for security, but it also made some things harder to develop for. It's not super clear to me this is that much different. |
It would drive down usage if the opt-in becomes the de facto way of doing things, like today we have But I guess it's a balance act in how aggressive we want to be. If we're too aggressive, people are discouraged from developing for the Web. If we're not aggressive enough, things don't change. I don't have data but I have the impression that there are a number of things that are annoying with the Web platform already that discourages people from developing for it, so I want to be careful with making it worse. It's not black-or-white of course. |
@mikewest, I see, just checking for plans. How much of a problem is |
It causes at least one serious observable incompatibility between Gecko and Blink (Gecko revokes, Blink doesn't). Lack of revocation pretty much wrecks the same-origin policy when document.domain is involved, but the Blink folks aren't willing to redesign everything around such a dumb feature, and I don't blame them. It also required enormous amounts complexity and gymnastics when speccing cross-origin behavior over the last several years. In general, anything security-related on the Web always needs the caveat "but what about the document.domain case?"
You mean secure contexts? The problem with that, as some pointed out, is that usage of document.domain cannot be detected at load-time in the way that secure contexts can. So you have to a "using X disables Y and using Y disables X" sort of thing. So I agree at this point that we shouldn't tangle this up with secure contexts. As noted above, I would totally be in favor of disabling it for secure-contexts if we could detect it ahead of time, but we can't. So we probably need a separate mechanism. On the issue of document.domain being used by third-party etc outside of the page's control: one thing we could do would be to have an opt-in flag or somesuch that allows the page to proactively forbid deprecated features in its global. That would allow pages to opt-out of the guessing game and say "I want new hotness and will give up deprecated stuff". |
Hmm, yes! That's what appears to be used (in Blink) do allow or deny usage of powerful features like getUserMedia, even though https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features and the deprecation messages talk about secure and insecure origins.... This bit I don't understand:
I mean simply that an attempt to set |
Secure Contexts themselves aren't a new thing, only the labeling of them as such. There are pages from 15 years ago that would fit the newly-invented definition of Secure Context, and disabling document.domain in those situations would break them. The only way in which limiting document.domain deprecation to Secure Contexts would make the problem more tractable is that it would somewhat-arbitrarily slice the existing body of web content into a smaller subset. Secure Contexts don't identify pages that are less-likely to be broken by disabling document.domain, nor do we derive any unique security or simplicity benefits (that I can think of) from knowing that Secure Contexts never use document.domain. |
Isn't the problem with Of, course, it's possible that 100% of the usage already comes from secure contexts in which case it's no more tractable than before, one would have to measure to find out. But if that would be pointless and the project is to get from 5% usage down to 0.01% or so for removal, I think one has to try to push against existing usage as well. Assuming the half-life of deployments is one year, it'd otherwise take 9 years to get down to 0.01%. (Just making this up, I don't know what the decay rate is.) |
No, because it only becomes same-origin with other content that has explicitly set document.domain. Collaboration is opt-in, so we don't have the security problem you're implying. Rather, the problem with document.domain is two-fold:
|
Thanks @bholley, those are indeed entirely different concerns than what I inferred from w3c/webappsec-secure-contexts#10. The implementation complexity could only be shed by getting rid of the Going back to the original idea of gating new features on the non-usage of the What I think would be needed to make progress faster is to use data like #829 (comment) to work with the top users of this API. |
Note that based on the discussion so far I'm inclined to WONTFIX the issue in whatwg/storage I just linked. I'm personally still in favor of doing this even if it makes adoption of new features harder, since it does increase the security of the web, at least for those that opt to use these new features, but I can't move this mountain alone. |
Well, I haven't heard anyone say they're not interested in helping out - more just that this problem affects everyone uniformly, and in the really-annoying rather than showstopping kind of way. This means that everyone (at least you, me, and Mike) would love to see it go, but no implementor is volunteering to do something high-cost or high-risk in their engine to push it forward. That said, everyone seems willing to do something straightforward and sane if a plan is proposed. There have been two proposals so far: "Cool Kids Mode" (i.e. explicit opt-in to new stuff at the expense of old stuff) and "First-To-Use XOR" (using new feature X disables document.domain usage for the subtree, and vice-versa). I think the latter approach has some pretty serious downsides, namely that it allows changes in third-party scripts to break unrelated (and presumably more-important) functionality in the site. "Cool Kids Mode" is interesting, but is tantamount to versioning the web. It may be time for something like that though - not in the classic "Version X is no longer supported", but as a crutch to our efforts to phase-out support for certain features. If there are enough things we'd like to drop, a general-purpose mechanism here could be useful. Here's a strawman of what it could look like:
The nice thing about this mechanism is that it scales easily to handle any and all breaking changes that vendors want to make, without requiring authors to update existing sites. It's effectively just an additional carrot to aid the existing process of dropping old features when usage reaches a certain threshold. Again though, it probably only makes sense if we'd like to do more of this stuff. That may make sense if we expect the web platform to live a Very Long Time. |
I would expect people would auto-generate the year so it always shows the current year, which seems like it would defeat the purpose. |
Why would they do that? It doesn't seem to be in anybody's interest. Presumably if somebody is going to go to the trouble of generating this attribute, they'd have some concept of what it's for. |
This is the Web, people do stupid things without understanding what things are for all the time. Things we add to the Web should be robust against misuse, intentional or accidental... |
The system doesn't have to be perfect - it's all about moving the needle in the aggregate. Certainly open to counter-proposals though. |
I don't know nearly as much about this topic as you, so sorry if this makes no sense. As far as I understand the problem is not that a document can specify a different origin to use, but that it can change it in-place. What if you add a mechanism for specifying the domain declaratively before anything is loaded in the document? It could be processed similar to how < meta charset > is processed. That would not have the same problem? If such a new mechanism is added, maybe it could help drive down usage of the document.domain setter much faster, since it would be a trivial change for existing code using document.domain. If a document uses this new mechanism, it should make the document.domain setter a no-op, to support sites that use both mechanisms for backwards compatibility. Maybe it would be web compatible to add other restrictions such as only the first call to the setter would have an effect, and only before the load event. If so, it might be possible to change the behavior of the setter to for example reload the page with the new origin instead of changing it in-place. |
Per #829 (comment) it looks like much of the usage is in third party scripts, so they couldn't use a declarative mechanism. |
I'm going to close this since the proposal in OP went nowhere and later proposals seemed increasingly more unlikely to be successful. Fresh ideas welcome in new issues. |
Based on discussion in w3c/webappsec-secure-contexts#10 with @mikewest, @hillbrad, @bholley, and @jwatt, hereby a concrete proposal for how we could phase out document.domain usage for new features:
FurthestSameOriginBrowsingContext ( document )
DocumentDomainDisabler ( document, disable )
Note: [[DisableDocumentDomain]] does not have an initial value.
document.domain will have these steps:
New features will have these steps:
The Storage Standard would be an example of such a new feature. There may well be others. If this looks good I'm happy to work on a PR for HTML to put this infrastructure in place.
The text was updated successfully, but these errors were encountered: