Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request Limit #87

Open
mingyc opened this issue Dec 1, 2023 · 70 comments
Open

Request Limit #87

mingyc opened this issue Dec 1, 2023 · 70 comments

Comments

@mingyc
Copy link
Collaborator

mingyc commented Dec 1, 2023

Open questions from last meeting:

  • How to limit: document-wide limit, tab-wide limit, limit per top-level origin, limit per reporting origin?
  • Total size limit: 64K for each reporting origins, overall quota for 640K for entire tab?
  • Permissions policy: default on or off?

Some concerns:

  1. Total limit should not be easily consumed/abused by a single origin
  2. Origin-specific info should not be leaked via quota consumption
  3. A single request can easily take up 50k (e.g. Boomerang)

Relevant Discussions: w3c/beacon#38 (comment)

@noamr @annevk @nicjansma @yoavweiss

@fergald
Copy link
Collaborator

fergald commented Dec 5, 2023

How about taking time into consideration? I'm not going to try to spec precisely here but at the high level:

  • a page that has been open for just a few seconds should have a small quota
  • a page that has been open for a longer time should have a larger quota
  • iframe quotas could grow more slowly than top-level frames
  • a permission-policy could "upgrade" an iframe to use the top-level quota

The gaols I'm trying to reach with this are:

  • recognize that if we don't make this usable, pages will just send eagerly with fetch() and/or use keep-alive
  • enabled by default for iframes to at least some extent
  • ability for the top-level frame to "promote" iframes to same status

@noamr
Copy link
Contributor

noamr commented Dec 5, 2023

How about taking time into consideration? I'm not going to try to spec precisely here but at the high level:

  • a page that has been open for just a few seconds should have a small quota
  • a page that has been open for a longer time should have a larger quota
  • iframe quotas could grow more slowly than top-level frames
  • a permission-policy could "upgrade" an iframe to use the top-level quota

The gaols I'm trying to reach with this are:

  • recognize that if we don't make this usable, pages will just send eagerly with fetch() and/or use keep-alive
  • enabled by default for iframes to at least some extent
  • ability for the top-level frame to "promote" iframes to same status

Maybe start with shipping something simpler and extend later?

@mingyc
Copy link
Collaborator Author

mingyc commented Feb 21, 2024

Pinging @yoavweiss @noamr

As the OT is started, we might want to continue this discussion.

@yoavweiss
Copy link
Collaborator

yoavweiss commented Feb 21, 2024

I'd love to hear @annevk's opinion on the options in the OP.

Let me try to clarify (for my own sake) the threat model this quota is protecting against.
Both top-level frames and iframes can use up network resources without any limitations while they are alive. IIRC, the claim was that users can notice this (unclear how - maybe by seeing that they are network constrained elsewhere) and close these tabs to stop that use, while they won't be able to do the same with fetchLater calls.

Hence, we're trying to protect against network abuse by any individual party on a particular site.

If our quotas were to span across frames, they are likely to end up leaking cross-origin state or enable interference with cross-origin activity, and may cause more harm than their presumed protection.

But if our quotas don't span across frames, abusers can easily circumvent them by creating more frames that send more data.

Given the above, my preference would be:

  • 64KB limit per reporting origin. 10 reporting origins per frame.
    • Given that the median mobile page is now at 2.2MB, ~30% of that can't possibly be considered abuse.
    • I think that should be enough, but we should be ready and willing to bump those numbers up if they end up unrealistic for real-world deployments.
  • If UAs detect abusers of this (e.g. multiple cross-origin reporting iframes that go to the same "first party set", for whatever definition of a "first party set"), they MAY intervene against these abusers and lower quotas for these abusers' origins (up to and including 0KB).

@annevk
Copy link

annevk commented Feb 21, 2024

I haven't really changed my thinking on this. We'd give a top-level origin/site a quota and it can share that quota using Permissions Policy. That still seems like the most robust approach. That also puts the blame squarely with the top-level origin/site, which is generally what you want if you were to surface any of this to end users.

@noamr
Copy link
Contributor

noamr commented Feb 21, 2024

I haven't really changed my thinking on this. We'd give a top-level origin/site a quota and it can share that quota using Permissions Policy. That still seems like the most robust approach. That also puts the blame squarely with the top-level origin/site, which is generally what you want if you were to surface any of this to end users.

I also don't see a way around this. It does mean that fetchLater would only work reliably for cross-origin iframes if permitted by permissions-policy.

@mingyc
Copy link
Collaborator Author

mingyc commented Mar 5, 2024

I am going to add Permissions Policy into OT implementation, but houw about its default? I think from our side we still want to minimize the friction to make the API available to 3P frames, and making it to 'self' means that the API won't be available in most of the existing sites at all.

@annevk
Copy link

annevk commented Mar 5, 2024

That is the correct default though. Otherwise you make the top-level site responsible for something it didn't even know.

@noamr
Copy link
Contributor

noamr commented Mar 5, 2024

That is the correct default though. Otherwise you make the top-level site responsible for something it didn't even know.

I tend to agree with @annevk on this, though perhaps this is not a spec concern. I can't find any place in the spec that defines default values for these policies but perhaps I'm missing something.

I can see how hypothetically a UA can e.g. decide to enable this by default but disable it when there are signs of abuse.

@mingyc
Copy link
Collaborator Author

mingyc commented Mar 7, 2024

We'd give a top-level origin/site a quota and it can share that quota using Permissions Policy.

Combing the comment from Yoav

64KB limit per reporting origin. 10 reporting origins per frame

Does that mean a top-level frame has 640KB quota by default, and it allows at most 10 reporting origins within this frame? What happens when 11th origin makes a fetchLater? Does all iframes share the same 640KB or has their own independent quota?

And a quota for origin A in top-level frame is not shared for origin A in other top-level frame right?

@noamr
Copy link
Contributor

noamr commented Mar 8, 2024

We'd give a top-level origin/site a quota and it can share that quota using Permissions Policy.

Combing the comment from Yoav

64KB limit per reporting origin. 10 reporting origins per frame

Does that mean a top-level frame has 640KB quota by default, and it allows at most 10 reporting origins within this frame? What happens when 11th origin makes a fetchLater? Does all iframes share the same 640KB or has their own independent quota?
And a quota for origin A in top-level frame is not shared for origin A in other top-level frame right?

There is no limit to the number of reporting-sink origins. The proposal is:

  • The top-level document has 640k quota for deferred fetches
  • Each reporting-sink origin nested within that top-level document has a 64k quota. you can have more than 10 of those, but if you reach the total of 640k you're out of luck.
  • Deferred fetching is allowed only if the top-level document delegates that quota using permission policy.
  • The default permission policy is anyway not something in the spec, but in most/all cases it should be self.

@yoavweiss
Copy link
Collaborator

Each reporting-sink origin nested within that top-level document has a 64k quota. you can have more than 10 of those, but if you reach the total of 640k you're out of luck.

This seems fine as long as we think that there won't be more than 10 reporting sink in the "typical" case. If that's the case, this policy would be fine, and won't result in reporters "ensuring their quota" by registering and using it early.

@nicjansma - WDYT?

@noamr
Copy link
Contributor

noamr commented Mar 12, 2024

OK, I'm working on the PR, the main thing I need fleshed-out is how to deal with workers, since they:

  • don't have a permissions policy
  • A SharedWorker (or service worker) can belong to several documents at the same time.

I see three options here:

  • Only support documents for now
  • Only support documents + dedicated workers, and have the dedicated worker use its owner's permissions policy
  • also support shared workers, but allow the shared worker to use fetchLater only if all its owners allow that in terms of permission, and all of them have the necessary quota (this is necessary because the worker might outlive any of these documents).

thoughts?

@mingyc
Copy link
Collaborator Author

mingyc commented Mar 13, 2024

We are fine with supporting only documents for now. There are infra limitation in Chromium such that fetchLater can't be supported in workers.

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 18, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 18, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 18, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 19, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 19, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 21, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 22, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 25, 2024
1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit

This CL follows the [guide] to define a new permissions policy
`deferred-fetch`, which is used to gate the new `fetchLater()` API.
Relevant WPT are added in this CL, and the subsequent CL will further
use this policy to adjust the request quota.

In this CL, `deferred-fetch` is not added to chrome://settings/content
page. And no permission prompt for it.

- webappsec request: w3c/webappsec-permissions-policy#544
- "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
- "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
- FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md

[guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md

Bug: b:40276121
Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
@mingyc
Copy link
Collaborator Author

mingyc commented Mar 25, 2024

@mingyc
Copy link
Collaborator Author

mingyc commented Mar 26, 2024

@noamr @yoavweiss

  • The top-level document has 640k quota for deferred fetches
  • Each reporting-sink origin nested within that top-level document has a 64k quota. you can have more than 10 of those, but if you reach the total of 640k you're out of luck.

Although this is implementation-specific details, I just realized this requires a mechanism to enable cross-process iframes to update each other the size of their pending requests synchrounously (given the example), which is difficult to achieve and may not pass security review.

The above is neccessary, as the steps introduced by whatwg/fetch@8d237d0 assumes that child cross-site iframes can obtain all body sizes of pending fetchLater requests from their parent documents in real time when JS fetchLater() is called (such that QuotaExceededError can be thrown). However, traversing cross-site ancestors in renderer process won't provide anything useful

Is there any alternative approach for it?

moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Jun 7, 2024
…ions policy `deferred-fetch`", a=testonly

Automatic update from web-platform-tests
Reland "[fetch-later] Define new permissions policy `deferred-fetch`"

This is a reland of commit 193729386996ac0bd40dba0aa98b7f85ff7b94d1

The failed test from https://crbug.com/339120680 is removed by https://crrev.com/c/5524593/1..2 as the same behavior is already covered by `/fetch/fetch-later/permissions-policy/deferred-fetch-default-permissions-policy.tentative.https.window.js` more carefully.

Original change's description:
> [fetch-later] Define new permissions policy `deferred-fetch`
>
> 1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit
>
> This CL follows the [guide] to define a new permissions policy
> `deferred-fetch`, which is used to gate the new `fetchLater()` API.
> Relevant WPT are added in this CL, and the subsequent CL will further
> use this policy to adjust the request quota.
>
> In this CL, `deferred-fetch` is not added to chrome://settings/content
> page. And no permission prompt for it.
>
> - webappsec request: w3c/webappsec-permissions-policy#544
> - "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
> - "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
> - FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md
>
>
> [guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md
>
> Bug: b:40276121,339120680
> Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5367481
> Reviewed-by: Adam Rice <[email protected]>
> Reviewed-by: Thomas Nguyen <[email protected]>
> Reviewed-by: Ian Clelland <[email protected]>
> Commit-Queue: Ming-Ying Chung <[email protected]>
> Reviewed-by: Yoav Weiss (@Shopify) <[email protected]>
> Reviewed-by: Takashi Toyoshima <[email protected]>
> Cr-Commit-Position: refs/heads/main@{#1297320}

Bug: b:40276121,339120680
Change-Id: I41e2f0980f5d72eb6c0687a82d96ad4a59f59936
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5524593
Reviewed-by: Thomas Nguyen <[email protected]>
Reviewed-by: Yoav Weiss (@Shopify) <[email protected]>
Reviewed-by: Ian Clelland <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Reviewed-by: Takashi Toyoshima <[email protected]>
Reviewed-by: Adam Rice <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1310429}

--

wpt-commits: cdd00c8bc0a087353a9dc26e80f11c87aa4fdfae
wpt-pr: 46159
i3roly pushed a commit to i3roly/firefox-dynasty that referenced this issue Jun 7, 2024
…ions policy `deferred-fetch`", a=testonly

Automatic update from web-platform-tests
Reland "[fetch-later] Define new permissions policy `deferred-fetch`"

This is a reland of commit 193729386996ac0bd40dba0aa98b7f85ff7b94d1

The failed test from https://crbug.com/339120680 is removed by https://crrev.com/c/5524593/1..2 as the same behavior is already covered by `/fetch/fetch-later/permissions-policy/deferred-fetch-default-permissions-policy.tentative.https.window.js` more carefully.

Original change's description:
> [fetch-later] Define new permissions policy `deferred-fetch`
>
> 1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit
>
> This CL follows the [guide] to define a new permissions policy
> `deferred-fetch`, which is used to gate the new `fetchLater()` API.
> Relevant WPT are added in this CL, and the subsequent CL will further
> use this policy to adjust the request quota.
>
> In this CL, `deferred-fetch` is not added to chrome://settings/content
> page. And no permission prompt for it.
>
> - webappsec request: w3c/webappsec-permissions-policy#544
> - "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
> - "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
> - FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md
>
>
> [guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md
>
> Bug: b:40276121,339120680
> Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5367481
> Reviewed-by: Adam Rice <[email protected]>
> Reviewed-by: Thomas Nguyen <[email protected]>
> Reviewed-by: Ian Clelland <[email protected]>
> Commit-Queue: Ming-Ying Chung <[email protected]>
> Reviewed-by: Yoav Weiss (@Shopify) <[email protected]>
> Reviewed-by: Takashi Toyoshima <[email protected]>
> Cr-Commit-Position: refs/heads/main@{#1297320}

Bug: b:40276121,339120680
Change-Id: I41e2f0980f5d72eb6c0687a82d96ad4a59f59936
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5524593
Reviewed-by: Thomas Nguyen <[email protected]>
Reviewed-by: Yoav Weiss (@Shopify) <[email protected]>
Reviewed-by: Ian Clelland <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Reviewed-by: Takashi Toyoshima <[email protected]>
Reviewed-by: Adam Rice <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1310429}

--

wpt-commits: cdd00c8bc0a087353a9dc26e80f11c87aa4fdfae
wpt-pr: 46159
ErichDonGubler pushed a commit to erichdongubler-mozilla/firefox that referenced this issue Jun 10, 2024
…ions policy `deferred-fetch`", a=testonly

Automatic update from web-platform-tests
Reland "[fetch-later] Define new permissions policy `deferred-fetch`"

This is a reland of commit 193729386996ac0bd40dba0aa98b7f85ff7b94d1

The failed test from https://crbug.com/339120680 is removed by https://crrev.com/c/5524593/1..2 as the same behavior is already covered by `/fetch/fetch-later/permissions-policy/deferred-fetch-default-permissions-policy.tentative.https.window.js` more carefully.

Original change's description:
> [fetch-later] Define new permissions policy `deferred-fetch`
>
> 1-Pager: https://docs.google.com/document/d/1P70kdENIByy3qWabN5rUPmBVkkANNSOM_jZynLnqINY/edit
>
> This CL follows the [guide] to define a new permissions policy
> `deferred-fetch`, which is used to gate the new `fetchLater()` API.
> Relevant WPT are added in this CL, and the subsequent CL will further
> use this policy to adjust the request quota.
>
> In this CL, `deferred-fetch` is not added to chrome://settings/content
> page. And no permission prompt for it.
>
> - webappsec request: w3c/webappsec-permissions-policy#544
> - "deferred-fetch" usage in fetchLater draft spec: https://whatpr.org/fetch/1647.html#request-a-deferred-fetch
> - "deferred-fetch" policy discussion: WICG/pending-beacon#87 (comment)
> - FetchLater Explainer: https://github.com/WICG/pending-beacon/blob/main/docs/fetch-later-api.md
>
>
> [guide]: https://chromium.googlesource.com/chromium/src/+/main/components/permissions/add_new_permission.md
>
> Bug: b:40276121,339120680
> Change-Id: I2db4dd7484610fefb50c463552155b220f13ac5d
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5367481
> Reviewed-by: Adam Rice <[email protected]>
> Reviewed-by: Thomas Nguyen <[email protected]>
> Reviewed-by: Ian Clelland <[email protected]>
> Commit-Queue: Ming-Ying Chung <[email protected]>
> Reviewed-by: Yoav Weiss (@Shopify) <[email protected]>
> Reviewed-by: Takashi Toyoshima <[email protected]>
> Cr-Commit-Position: refs/heads/main@{#1297320}

Bug: b:40276121,339120680
Change-Id: I41e2f0980f5d72eb6c0687a82d96ad4a59f59936
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5524593
Reviewed-by: Thomas Nguyen <[email protected]>
Reviewed-by: Yoav Weiss (@Shopify) <[email protected]>
Reviewed-by: Ian Clelland <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Reviewed-by: Takashi Toyoshima <[email protected]>
Reviewed-by: Adam Rice <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1310429}

--

wpt-commits: cdd00c8bc0a087353a9dc26e80f11c87aa4fdfae
wpt-pr: 46159
@fergald
Copy link
Collaborator

fergald commented Jun 13, 2024

self effectively means we are excluding ads from ever using this API. I'm not sure if there's any other common use case that finds itself embedded in a stack of 3P frames.

This is a major loss and does not seem worth it to prevent some hypothetical quota stealing. If bad-acting 3rd parties turn out to be a real problem, it is easy for the top-level site to control that with a policy.

With regard to making progress and launching with self and reviewing things later and maybe making it *, is that realistic? If we launch with self, sites that care about controlling this will do nothing and if we switch to * it will require action from those sites. The switch to * is not something we can do lightly.

@noamr
Copy link
Contributor

noamr commented Jun 13, 2024

@jakeherron-google can you be more specific about "we do not control the domain stack we are rendered into because we are often served and rendered with the ad"? How does this work more in detail?

@annevk
Copy link

annevk commented Jun 13, 2024

Note that the Permissions Policy API does not have cross-browser agreement. (I thought the plan was to merge it into the Permissions API but to what extent that has happened is unclear.)

@jakeherron-google
Copy link

@jakeherron-google can you be more specific about "we do not control the domain stack we are rendered into because we are often served and rendered with the ad"? How does this work more in detail?

Yes, to be more specific we deploy Javascript alongside the ad that conducts measurement throughout its lifecycle. The actual ad content along with any scripts will be served into a 3P iframe that the publisher webpage has control over. The publisher does not know anything about the ad served into the 3P frame, by design. Likewise, our ad measurement script has no control over this iframe by design. Our use of the fetchLater API would be beholden to the publisher opting into deferred-fetch for our ad’s iframe under the proposed permissions policy.

@noamr
Copy link
Contributor

noamr commented Jul 8, 2024

Summarizing internal conversations about this:
There is a strong use case for this feature to have a small quota available for 3p origins without requiring permissions policy. This use case is important for us (Google/Chromium).

This quota can be small, e.g. 16kb per 3p-origin-in-a-top-level-document. We see the risk of using this "spare change fund" quota for abusing bandwidth after window close as small, and is anyway possible in other means today such as ordinary keepalive requests (which don't have a standard-defined top-level quota) or service workers (which may be terminated when they don't have active clients, but in practice can send/receive quite a bit of data).

So proposing to keep the current spec wording, but to add a per-3p-origin quota to the effect of 16kb that doesn't require permissions policy. Allowing an iframe to use the overall quota would have the effect of increasing it to 64kb.

We'd prefer to have this as a normal part of the spec, but also open to having it implementation-defined or a MAY/SHOULD that allows user-agents to choose their tradeoff between utility and risk of bandwidth abuse. FWIW I think it's a legitimate tradeoff to leave for browsers to differentiate, and is discoverable enough so that it shouldn't create a substantial interop issue.

@annevk thoughts?

@annevk
Copy link

annevk commented Aug 28, 2024

We discussed this once more internally.

We continue to be concerned about letting third parties consume end user system resources without explicit buy-in from the first party.

To the extent that is possible today through service workers that will likely be something we will eliminate going forward (the main reason for keeping service workers alive in WebKit has been to make navigation quicker, not for web application shutdown purposes). And thus we would not want to use that as precedent when designing a new API.

@noamr
Copy link
Contributor

noamr commented Aug 28, 2024

We discussed this once more internally.

We continue to be concerned about letting third parties consume end user system resources without explicit buy-in from the first party.

Understood. I suggest that having this as a MAY in the spec is a better way forward than remaining blocked on this, as allowing 3ps to use this feature without 1p buy-in is an important use case for us (with a very small quota).

We'd prefer to tackle hypothetical problems that arise from this, keeping an eye on metrics, rather than constrain this API in advance in a way that would make it a lot less useful. Since this API is anyway built to not always work based on all kinds of constraints, I think having this as a constraint that's up to some implementation-specific discretion is probably the best we can come up with.

To the extent that is possible today through service workers that will likely be something we will eliminate going forward (the main reason for keeping service workers alive in WebKit has been to make navigation quicker, not for web application shutdown purposes). And thus we would not want to use that as precedent when designing a new API.

Apart from service-workers, another precedence is ordinary keep-alive fetches, which can be used by a 3p without 1p buy-in. The quota proposed here is smaller than the quota of a single keep-alive fetch. Is WebKit also going to eliminate keep-alive fetches in 3p iframes?

aarongable pushed a commit to chromium/chromium that referenced this issue Sep 5, 2024
The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1351171}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Sep 5, 2024
The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1351171}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Sep 5, 2024
The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1351171}
noamr added a commit to noamr/fetch that referenced this issue Sep 5, 2024
@noamr
Copy link
Contributor

noamr commented Sep 5, 2024

Updated the PR, to include a 3p default quota of 16kb even if the permissions policy is not present (in a MAY clause). This is currently the only way I see forward given lack of consensus about this detail, which is really a small bit of this API. I think it's better to have one detail with an implementation-defined difference than hold this issue back indefinitely or ship it with a monkey-patch spec. Open to hear other alternatives!

moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Sep 11, 2024
…d-fetch" for now, a=testonly

Automatic update from web-platform-tests
Update FetchLaterAPI to not use "deferred-fetch" for now

The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1351171}

--

wpt-commits: d575dc75ede770df322fbc5da3112dcf81f192ec
wpt-pr: 47974
i3roly pushed a commit to i3roly/firefox-dynasty that referenced this issue Sep 12, 2024
…d-fetch" for now, a=testonly

Automatic update from web-platform-tests
Update FetchLaterAPI to not use "deferred-fetch" for now

The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1351171}

--

wpt-commits: d575dc75ede770df322fbc5da3112dcf81f192ec
wpt-pr: 47974
jamienicol pushed a commit to jamienicol/gecko that referenced this issue Sep 12, 2024
…d-fetch" for now, a=testonly

Automatic update from web-platform-tests
Update FetchLaterAPI to not use "deferred-fetch" for now

The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <[email protected]>
Commit-Queue: Ming-Ying Chung <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1351171}

--

wpt-commits: d575dc75ede770df322fbc5da3112dcf81f192ec
wpt-pr: 47974
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this issue Sep 16, 2024
…d-fetch" for now, a=testonly

Automatic update from web-platform-tests
Update FetchLaterAPI to not use "deferred-fetch" for now

The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <nidhijajuchromium.org>
Commit-Queue: Ming-Ying Chung <mychchromium.org>
Cr-Commit-Position: refs/heads/main{#1351171}

--

wpt-commits: d575dc75ede770df322fbc5da3112dcf81f192ec
wpt-pr: 47974

UltraBlame original commit: 52384999063c6e9d9ab6e380ac75ac5608683b0a
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this issue Sep 16, 2024
…d-fetch" for now, a=testonly

Automatic update from web-platform-tests
Update FetchLaterAPI to not use "deferred-fetch" for now

The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <nidhijajuchromium.org>
Commit-Queue: Ming-Ying Chung <mychchromium.org>
Cr-Commit-Position: refs/heads/main{#1351171}

--

wpt-commits: d575dc75ede770df322fbc5da3112dcf81f192ec
wpt-pr: 47974

UltraBlame original commit: 52384999063c6e9d9ab6e380ac75ac5608683b0a
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this issue Sep 16, 2024
…d-fetch" for now, a=testonly

Automatic update from web-platform-tests
Update FetchLaterAPI to not use "deferred-fetch" for now

The [discussion][1] is not yet finalized, but we want to extend OT for
other partners.

[1]: WICG/pending-beacon#87 (comment)

Bug: 40276121
Change-Id: I6f163add73707be7b9c2b34d58dce22542621293
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5833346
Reviewed-by: Nidhi Jaju <nidhijajuchromium.org>
Commit-Queue: Ming-Ying Chung <mychchromium.org>
Cr-Commit-Position: refs/heads/main{#1351171}

--

wpt-commits: d575dc75ede770df322fbc5da3112dcf81f192ec
wpt-pr: 47974

UltraBlame original commit: 52384999063c6e9d9ab6e380ac75ac5608683b0a
noamr added a commit to noamr/fetch that referenced this issue Oct 24, 2024
noamr added a commit to noamr/fetch that referenced this issue Oct 28, 2024
noamr added a commit to noamr/fetch that referenced this issue Dec 4, 2024
noamr added a commit to noamr/fetch that referenced this issue Dec 9, 2024
noamr added a commit to noamr/fetch that referenced this issue Dec 11, 2024
noamr added a commit to noamr/fetch that referenced this issue Dec 15, 2024
noamr added a commit to noamr/fetch that referenced this issue Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants