See the entire conversation

I've been wondering whether now is the right time for disruptive changes to the (web) ecosystem or it is better to hold them back until things return towards normal. We'll see how this goes. Stay safe out there!
85 replies and sub-replies as of Nov 17 2020

I think you've done enough.
I'm slow today, was that about Apple or Google or both? Thx.
Both. We're still rolling out our SameSite cookie change, and we'll reconsider if that disrupts sites that a) users need and b) are under pressure. We have a pandemic right now, and the priority is that folks can access the information they need to stay safe and healthy.
As you know, government sites don't tend to be at the sharp end of the web at the best of times. And *looks around* we aren't exactly at the best of times.
Government sites break if one blocks 3rd party cookies? Not in my experience.
My experience: when I was applying for ESTA last year, the online form didn't work until I disabled the Firefox tracking protection.
Sorry to hear that. I use {{dmv,ftb}.ca,irs,santaclaraca}.gov without issue. Did you identify the blocked script that was needed?
To be clear, I agree with removing third party communication in all but very particular situations. However deprecations/removals are hard at the best of times, and we *must* go beyond "works on my machine".
Not about "works on my machine". Many have been working on & using tracking protection for years, and have thereby moved sites to not break when tracking is blocked. Some of these folks have also worked on privacy in standards bodies. You're late to this party to be lecturing me.
Same goes for SameSite, but shipping in stable is different to talking in a standards meeting. Again, see twitter.com/jaffathecake/s…
Both. We're still rolling out our SameSite cookie change, and we'll reconsider if that disrupts sites that a) users need and b) are under pressure. We have a pandemic right now, and the priority is that folks can access the information they need to stay safe and healthy.
No one said shipping was the same as standardizing. Wha? I asked Malte if his tweet was aimed at Apple, Google, or both. You jumped in with "both", but I think you meant "Apple", because from this thread, it has been hero complex and "turn on the news" ever since. Ok, bad Apple!
Um, I said "both", then described a situation that *Google* is considering in light of COVID-19. I'm not sure how you'd miss that, unless it was intentional. twitter.com/jaffathecake/s…
Both. We're still rolling out our SameSite cookie change, and we'll reconsider if that disrupts sites that a) users need and b) are under pressure. We have a pandemic right now, and the priority is that folks can access the information they need to stay safe and healthy.
Dismissing concern for people, during a *pandemic*, as "hero complex" is pretty distasteful.
I was referring to your telling me to "turn on the news". That was uncalled for, pandemic or no pandemic. My "yikes" was a brief aside reacting to insecure TLS versions coming back from dead, not me objecting to their come-back. I'd missed that Firefox relnote; that's all. Ok?
I didn't read your "yikes" tweet like that, and I'm sure others didn't too, but thanks for clarifying.
I always tweet "Yikes" to mean "NO! This change must be reverted!" -- really? Something's off, we're still tweeting about an aside that could not possibly matter for browsing government sites. Pop the stack: Apple shouldn't change ITP till pandemic over. Do I have that right?
Brendan, you just bragged about reading "every word". Please actually do that, and pay particular attention to stuff like "wondering", "we'll see" and "reconsider if…" etc etc. Nuance is important, especially at times like this.
Anyway, I've made my point. This is turning into a Twittering contest and I have other things to do.
I'm not looking to score Twitter points but I don't think tweets will back Apple off an inch. Other browsers are blocking tracking too. From another tweet in thread we learned Firefox tracking protection prevented using a gov't website. This is a worthwhile topic, you're right. +
I don't think we should try to standardize only one way to test breaking privacy changes. Smaller-share browsers can take bigger risks, possibly go farther faster down a path that ends up standardizable. If we could partake of Chrome's scaled A/B testing ability, I'd go for it. +
An area where chromium-based browsers have common cause seems to be fingerprinting countermeasures that don't break valid use-cases. Dual-keyed storage is another. These are positive things that shouldn't break important old sites (knock on wood). I will stop here.
Now you're trying to have it both ways. 1. This is a pandemic, turn on the news, people might be unable to read government websites! 2. wondering, we'll see, reconsider... Pick one, stick to it. Otherwise what's the point? To score twitter points against Apple for revving ITP?
I read every word. You said Google is being super careful (also, sites can override lax default more easily than figure out ITP workarounds). "Both" would fit if you cited Google breaking something hard without recourse by the site. But you didn't. Not quite humblebrag but close!
My essay/overview on Google mentions the GDPR BTW.
I am still blocked by @johnnyryan
We did a lot more testing than "works on my machine", including an extended public beta. Hopefully this goes without saying?
Absolutely. I was replying directly to twitter.com/BrendanEich/st…, it wasn't a comment about Safari's strategy. Sorry for not making that clear.
Sorry to hear that. I use {{dmv,ftb}.ca,irs,santaclaraca}.gov without issue. Did you identify the blocked script that was needed?
Why my relating my own experience was taken as grounds for Apple (or any browser maker) doing anything is still a mystery. It was helpful to hear jsnajdr's report of Firefox TP breaking that ESTA site. At least, I found it helpful.
Didn't identify. This was not the kind of site that I wanted to debug and submit some bogus form data.
I think Firefox re-enabled TLS 1.0 and 1.1 a few days ago for this reason.
Yikes. Not secure.
Right, but turn on the news. There are other "yikes" things happening right now.
Come on, stop grandstanding.
I'm not. Maybe you watch a different news to me.
Annotated graphs if helpful; log scale ft.com/coronavirus-la…
Right, but on the other hand, Donald Trump says everything will be back to normal in a couple of weeks
This reminds me of TLS "telemetry". Another example is TLS 1.3 middlebox problems.
"Not Secure" meaning that you've found a *practical* TLS/1.0 exploit that you haven't shared with the class? ;)
If so, please tell Yan. :)
If you don't mind, we will stick with what chromium does for good reasons, including not breaking old sites right now.
Absolutely agree that now is a bad time to be making breaking changes to the web.
💯👍 We're experiencing breaking changes to society, might as well take care of things we can actually control.
As for "not secure", TLS 1.0 is still supported in Chromium 80. It would have been removed Chrome 81, but Chrome releases have been paused. Firefox users would be frustrated if (TLS 1.0) sites were broken in Firefox but still working on Chrome.
TLS 1.0/1.1 support has been removed (Reverted)
The support for the Transport Layer Security (TLS) protocol’s version 1.0 and 1.1, deprecated since Firefox 71, has been removed from all the channels as of Firefox 74. All major browsers are going to drop the support for the older versions of ...
fxsitecompat.dev
Yeah, I think we are on same page. I just missed that release note. Thanks.
Nothing to report. Are you saying e.g. MitM exploit isn't practical? I tweeted based on headline-level memories of problems driving EOL for 1.0/1.1. If there is no practical security exploit, then why retire? If it is just a good idea in case of 0day, ok. You probably know more!
Some discussion from folks smarter than me at feistyduck.com/bulletproof-tl… The general idea is that attacks only get better, and we've started to see cracks around the edges for the older protocol versions. March 2020 seemed like a nice time to retire these back in 2018. Now...
... that the date has arrived, there are a few laggards popping up (I hear some South Korean payment providers) and more broadly there's the "Hey, um, the world is currently experiencing some difficulties, so maybe hold off on the prophylactic security changes for a bit" vibe.
I'm a bit troubled by Mozilla's /implication/ that there are some health/gov't sites that rely on TLS/1.0 (seems like naming them could help everyone) but they say they're still shipping in FF76, so May. New Edge plans to go in late May/early June. Legacy IE/Edge in Sept.
To get back to root of thread, is ITP or anyone else's TP too breaking for the world right now? Interested in your view.
I've heard suggestion that the newly aggressive ITP will break healthcare and insurance websites. I don't know to what extent the Safari folks did compat test passes, but this seems like a huge bet that they're making.
On MacOS desktop, if it is too soon (as Chromium plans suggest) we could imagine a quick retreat to other browsers, tanking Safari share. On iOS, however, other browsers are intrinsically hobbled, so a too-early release would pose an ecosystem threat.
Who’s hoarding the TP???
I knew you would come with that bait :-P.
Yeah, and my very technically worded "Yikes" was not expressing interest in reversing the pause -- as noted multiple times last night. It can wait.
Unrelated to topic but are SameSite cookies the reason why 3d payments have stopped working in Chrome for the last few weeks? I cannot understand why my users are suddenly logged out when returning from payment confirmation pages. It used to work flawlessly.
Looks like SameSite=Lax would solve the issue. I will try asap. Thanks!
Lax is the default. If that's the case of the issue, you want "None".
Oh okay, didn't see that mentioned. I'll try both to figure out the issue.
If this is a returning POST request from your payment provider and you need cookies for the user's session, I would probably recommend an internal redirect after the POST. It's unlikely you want to make cookies for your site's session SameSite=None. Happy to DM for more detail.
Yes, it is a returning POST, and yeah, I am hesitant on SameSite=None tbh. I actually temporarily disabled 3d payment option until I can have a peace of mind before diving into this stuff. I'll give it a try in a few days. Thanks for taking your time to reply!
I think a few people are seeing this scenario, so I'm trying to see if this is a reasonable solution for the issue.
I know a few other devs experienced the issue since a few weeks earlier. Redirect sounds reasonable to me. I mean the POST data has my order ID, and I can find the user with that. Complete the payment there, then redirect to home page with a simple flag to say "thx for payment".
I'm certainly worried people will take the easy way (adding SameSite=None) rather than attempt to solve this
True, like you'll still always get people who chmod 777 to get something working, but hopefully there's a net improvement here. This at least makes the default more secure.
We need decentralized systems for data dist now. I think data science crowd is best user group for this.
thats what DAT was meant for dat.foundation
Yeah I'm torn between day and ipdb. Leaving towards ipdb and orbit. Still lost of pieces to build to make the decorator library I'm thinking of.
Bold take from a company who firehoses everyone else all day every day. ✌️
Also makes it easier to stop because you don't miss The Yearly Release™️. I think that it is fine, even necessary to reconsider modus-operandi given current developments. Just blindly marching on is probably wrong.
Sorry, I couldn’t hear you over trying to catch up with a month of google web platform news from 2017. I agree the system is broken, but I’m extremely done with google folks shitting on Apple at every opportunity, especially when they run their own broken system.
I don't think you actually disagree with what I said. We'll have to disagree on your take on the context of my tweet which I think is wrong but I'm too tired to argue and also really isn't my business.
¯\_(ツ)_/¯
Is there ever a good time to break the web, or as you say, make disruptive changes? This in particular looks good for the user.
Imagine COVID had hit last year around the same time and the GDPR deadline was looming. I think it would have been worth considering to move it. But, yeah, my original tweet was asking a genuine question. So, you'd say user value generally outweighs ecosystem consideration?
Can you define ecosystem? Not sure I understand, or can answer.
I meant very broadly "folks who put anything on the web". They have lots of problems right now. Somewhere between "my business is dead" and "OMG we are breaking records everyday but the warehouse workers are sick".
I don’t think you have to put it all on hold, and again, I think this is to the benefit of the user. I have had too much adtech for one lifetime. Little to no compassion for companies who bank on that. Time to build a real product and stop selling user data.
Ok, thanks for the data point.
However, you might want to look at your own apps. With this change every "offline first" app will need to build a backend.
I don’t have any. Can’t comment on that, though I am critical of taking that away as well. But then again, you let me know when Google torches AMP. ;) Or when a Google search displays actual results (not sponsored “content”) above the fold. ;)
Be safe out there!