Portals #331
Comments
|
On our f2f agenda for Wednesday 6-Feb. |
|
We had a 45-minute discussion of this at our Tokyo face-to-face (Wednesday 2019-02-06, 14:35 to 15:20); the minutes should be available tomorrow. One of the outcomes was that we're hoping to get a little more information added to the explainer that we'll then read and probably have some more feedback on. We'll want to come back to this at some point in the future. |
dbaron
added
the
Progress: pending external feedback
|
I think a few of the things we discussed were:
|
|
Thanks for the feedback. I've looked through the notes, and would like to address some of the points discussed:
|
That sounds like a privacy showstopper for browsers that try to limit cross-site tracking. |
|
I’m assuming the concern is about cross-site tracking through mechanisms like URL query parameters? (I’ve seen Facebook do this.) (Since window isn’t exposed, seems like this would be the easiest mechanism to exploit) |
|
@cynthia To expand on this a bit: The portal host can send any information it wants to the Why is that a problem? Many browsers deny access to cookies and other state in a third-party context, including cross-origin So if a site passes info to an Per @lucasgadani, the plan for (This concern does not apply to browsers that lack any built-in on-by-default tracking protection, such as Chrome.) |
|
Thanks for the feedback @othermaciej. I completely agree with you that browsers that already support tracking protection through a storage API should continue to do so inside a portal. In fact, this is something we have described in the explainer. That said, as you mentioned, Chrome does not currently have any built-in tracking protection, and given that our implementation is on top of Chromium, we are trying to keep our scope manageable, so we are not tackling the storage access just yet on our implementation. At this point, our main focuses are:
|
|
It seems to me that third-party content inside a portal could be restricted in a similar way to third-party iframes in those UAs, as long as those restrictions could be lifted on activation. If I understand correctly, WebKit's mechanism does have a way of lifting storage access restrictions at runtime already. Do you think it would be fundamentally incompatible with this approach? |
|
@jeremyroman Unfortunately, I think restricting in a portal and then lifting those restrictions on promotion is not workable. So this would remain a showstopper for Safari (and maybe Firefox too, not sure of their tracking protection details these days). To expand a bit: we have a way of lifting storage restrictions based on an API call for the site, with user consent (it pops up an alert). It's called Storage Access API. Mozilla also implements this API. Lifting storage restrictions transparently without any interaction by the site would likely not work. Sites would get a mix of data from different storage partitions if they were not prepared for this happening. Or they might see only the stale info. The site has to know to reload the relevant state, which is why we ask embeds to opt into this. Based on this, auto-promoting portals to unrestricted storage when they get promoted to full screen is likely not viable. |
|
@othermaciej As I understand it, Safari's model allows for certain interactions (like a user gesture, conditionally paired with a user prompt) to change the UA's answer as to whether storage access should be granted to content which was loaded in a third-party context, and an API for authors to indicate that the document is prepared for a change in its storage access. Portal activation is conceptually similar to navigating the browsing context (possibly cross-origin), and as I understand it Safari's model does grant storage access to the document that is navigated to. Given that, would something like this work (deferring the actual access change until the document requests it)? onload = async function() {
const supportsStorageAccessApi = !!document.hasStorageAccess;
const canPersonalize = !supportsStorageAccessApi || await document.hasStorageAccess();
if (canPersonalize)
populateWithPersonalizedContent();
else
populateWithGenericContent();
};
onportalactivate = async function() {
if (hasBeenPersonalized || window.portalHost)
return;
// This was activated into a top-level context, so the UA can
// reasonably approve this storage request without prompt.
await document.requestStorageAccess();
populateWithPersonalizedContent();
};There's a more uncommon case in which a nested portal is promoted into a context which is first-party to the top-level context (A->B->A becomes A->A) where it might be useful for the author to be able to request storage access but accept a silent refusal instead of triggering a user prompt, but I don't see that case being common at all. |
|
@jeremyroman I am not sure if I fully understand what your script is trying to do, sorry. I think you are suggesting that webpages could be modified to request storage access when promoted from a portal to top level, and that access could be always granted and without the need for a user action or user consent. This wouldn't confuse those pages with unexpected mixes of storage. But it also wouldn't work in unmodified webpages. They would end up always stuck on restricted/partioned storage even after promotion, even in this implied proposal. Remaining stuck on the partitioned storage is also a privacy risk, because it would give what appears to be a top level page access to a partitioned storage in a particular domain. A site could rewrite itself to always use immediately activated portals to effectively gain cross-site tracking capability. The one thing I can think of that might work for privacy purposes is to completely deny all storage access (even cookies) while in the portal, but allow the site to request storage access on activation as you suggest. I am not sure of the web compatibility of this approach. |
Yes, this is what I'm suggesting.
Yes, it wouldn't be transparent to unmodified documents. This isn't the only way in which a document may have its context meaningfully changed by transitioning from being embedded to not, so we're still contemplating whether content should have to opt-in to being loaded in a portal context (which reduces surprise, since it gives a signal that authors have given some thought to the consequences), or opt-out (for reasons similar to frames, content must be able to refuse to be embedded).
I admit I don't really understand how what you're proposing here would allow pervasive tracking, but if so, having the UA choose to provide no storage access instead of partitioned storage in such cases seems like a viable approach to me. |
|
So one of the recent additions to the explainer was:
This doesn't seem sufficient for anything that works by keying storage to the pair of the toplevel origin and the frame origin (known as "double-keying"). I'm not sure which (if any) browsers use double-keying today for which kinds of storage, but it's certainly been something that's been discussed in the past. This would break double-keying because it would transition script from being in one pair to another, and allow matching the storage from one to the storage from another. I don't see an obvious solution to this within the double-keying model. Additionally, I still don't think the explainer answers the key question of how this differs from I don't think we necessarily expect complete answers at this stage of the design, but if not answers it would be good to at least understand your current intentions and how you plan to make those decisions. I agree that using a new element name rather than an attribute is convenient since it means you don't have to worry about the portal-ness changing dynamically; however, there are certainly other ways to restrict dynamic changes. And it still seems quite concerning given how much this has in common with |
|
How are you going to handle all of these, like feature-policy, as pointed out by @dbaron above. We are a bit afraid that this feature will land and it will be a multi-year effort to make it integrate properly in the web platform, similarly to I think that you can calm our nerves by going through specs mentioning Like you need to define how this works for browsing contexts: Also check all cases involving |
|
Apologies that we haven't been more responsive in this discussion recently. We do realize that there are significant unresolved issues here (including whether the feature ought to be exposed as a new tag name or be controlled by a content attribute on the existing We intend to follow up on these concerns shortly, and though we are experimenting with the feature in Chrome, we have no intention of shipping with this feedback unaddressed. |
|
To @kenchris's point, I want to note that in my role as HTML spec editor, I've been really, really happy and excited about the idea of portals as "iframes done right". Although popular articles or explainers may focus on the flashy features like transitioning the URL bar or adopting your predecessor, @jeremyroman and others have put a lot of thought into the foundations. For a spec that is still in the experimentation stages, it's quite solid and integrates well with existing primitives. For an example of what I mean by "iframes done right", iframes have many features that complicate their model. Those features can be convenient at times, but in my opinion don't pull their weight for the complexity they add. The biggest of these is synchronous access to the framed document. This has caused huge spec complexity, security, and implementation hurdles, which we are still sorting out today. Portals omit that, in favor of simple postMessage-based communication. Other such features are things like srcdoc, the observable initial about:blank transition, the weird load event (still buggy), etc. I do think there are still some things that need porting, such as the story around feature policy/sandbox. But even that will be a simplification opportunity, most likely; instead of allow + allowfullscreen + allowpaymentrequest + sandbox, I'm hopeful we'll have something more coherent and unified. Finally, the biggest missing piece is session history integration, tracked at WICG/portals#19. That will affect things like "fully active", indeed. This is complicated by known issues with the session history spec. Perhaps more generally, there are probably other things where the notion of "nested browsing contexts" should apply to portal browsing contexts as well (e.g. update the rendering?). Portals add more complexity here on top of iframes due to the activation possibilities. Still, I am confident that because portals allow us to start with a clean slate, and because they decrease the synchronous observable interactions, the editors will be able to find and spec a model that works well. I hope this helps! |
|
Here is an expanded explanation of our current thinking on the question of introducing a new |
|
This issue is still marked as "pending external feedback", but I believe we have replied to the concerns raised. Are there further issues we need to address before TAG can take another look? |
alice
added
Progress: in progress
and removed
Progress: pending external feedback
|
Discussed at our Tokyo F2F. We keep coming back to the element vs attribute discussion, some of the reasons we've heard about the need for a new element seem to stem from implementation difficulty. We feel that those reasons violate the priority of constituencies, by putting implementation concerns before those of authors. Regarding the notion of iframe's "done right", we accept the fact that iframes have a lot of baggage. If the real need here is to fix iframes, then let's fix iframes. Perhaps we should be creating a new element (or set of interfaces) that can serve as the base class for embedded content with a simplified model. Then special case elements that provide extra behaviors and properties serving the various use cases for iframes can be built on top of that model in a cleaner fashion. Rather than build yet another higher-level special element with a bunch of unique attributes, we'd rather see a layered approach that exposes the various primitives and needs of embedded content in its different forms. |
|
Discussed again at our Cupertino F2F with @hober, @dbaron, and myself. We feel that we had a good discussion with you, while in Tokyo last, about our concerns with the current state of the proposal and the direction we'd like this to take instead. We're going to close this issue for now, please ping us to reopen or file a new one when the next steps are ready for review. |
ylafon
added
Resolution: timed out
こんにちはTAG!Bonjour le TAG!
I'm requesting a TAG review of:
Further details (optional):
You should also know that...
We'd prefer the TAG provide feedback as (please select one):
The text was updated successfully, but these errors were encountered: