Intent to Ship: Web Locks API
514 views
Skip to first unread message
Joshua Bell
Jun 28, 2018, 2:03:01 PM6/28/18
to blink-dev
Contact emails
jsb...@chromium.org, pwn...@chromium.org (but I still blame darin@)
Explainer
https://github.com/inexorabletash/web-locks
Spec
https://inexorabletash.github.io/web-locks/
(Proposed to move to WICG, waiting on interest from others)
TAG Review:
https://github.com/w3ctag/design-reviews/issues/217 then
https://github.com/inexorabletash/web-locks/issues/35
Summary
navigator.locks.request("my_resource", async lock => {
// can assert that no other tab/worker in this origin
// is using "my_resource" until this async function completes
});
Proposed to launch to stable in M69.
Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/DpODIjdpUMg/hVQkjqeIAAAJLink to Origin Trial feedback summary
Feedback from Google Docs/Sheets/Slides:
Chrome implemented a Web Locks API to provide support for an authoritative lock management system. Early data from a Docs/Sheets/Slides experiment using Web Locks through Chrome’s origin trial showed that lock related errors were reduced by 10x.
Bugs were found/fixed during the origin trial, but no breaking API changes are required. One feature request was filed for additional debugging capability, which can be layered on to the current API shape.
I failed to do a blog post to announce the trial, which doubtless limited the feedback. :(
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Debuggability
Lock state can be queried via navigator.locks.query() to get a snapshot of lock state. A feature request (from the Google Docs/Sheets/Slides team) would improve this further with application-specific metadata; that can be added in the future without breaking API changes.
Risks
Interoperability and Compatibility
The proposal has been reviewed by the TAG, but no other browsers have given an assessment on design or implementation challenges.
Edge: No signals
Firefox: No signals; discussion raised by Marcos Cáceres at https://github.com/mozilla/standards-positions/issues/64 (after highlighting important issues about the specifics of how locks are scoped to browsing sessions, the discussion veered into details of Safari dual-keyed storage behavior and hasn't had follow-up)
Safari: No signals
Web developers: As noted, at least one Google team is strongly positive. Otherwise, feedback has been extremely sparse.
Ergonomics
The API shape was arrived at after significant exploration (see the history of the git repo) to arrive at an API that avoids pitfalls while still allowing full programmatic control of lock lifetime; the TAG walked through this again, arriving at the same conclusion.
Web applications can "deadlock" themselves with respect to this API (e.g. holding a lock and never releasing it) but no other capability is tied to these abstract locks, so any risk for the app is opt-in. Locks also do not span origins or browsing sessions, and there are no known performance implications for other APIs although some of the lock management algorithms could be improved.
Activation
The API would benefit from documentation on MDN. The spec has many examples, but more would not hurt.
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
Bug / CL to upstream to WPT: https://bugs.chromium.org/p/chromium/issues/detail?id=857265 / https://chromium-review.googlesource.com/c/chromium/src/+/1118764
Boris Zbarsky
Jun 28, 2018, 2:39:48 PM6/28/18
to Joshua Bell, blink-dev
On 6/28/18 2:02 PM, Joshua Bell wrote:
> Firefox: No signals; discussion raised by Marcos Cáceres at
> https://github.com/mozilla/standards-positions/issues/64 (after
> highlighting important issues about the specifics of how locks are
> scoped <https://inexorabletash.github.io/web-locks/#security-scope> to
> Firefox: No signals; discussion raised by Marcos Cáceres at
> https://github.com/mozilla/standards-positions/issues/64 (after
> highlighting important issues about the specifics of how locks are
> browsing sessions, the discussion veered into details of Safari
> dual-keyed storage behavior and hasn't had follow-up)
I believe the Firefox status at the moment is that we're not clear on
> dual-keyed storage behavior and hasn't had follow-up)
exactly what the proposed scoping is in various important cases, which
is making it hard to evaluate whether it makes sense, which is making it
hard to decide what we think about the proposal. Which is why there's
been no followup on our standards position; we don't have enough
information to evaluate.
I will say that I personally am extremely concerned about too-broad
scoping getting baked into the implementation and consumers and hence
making it difficult to ship other features in the future, change process
models, improve user privacy via efforts like Firefox's containers, etc.
-Boris
Boris Zbarsky
Jun 28, 2018, 2:44:51 PM6/28/18
to blink-dev
On 6/28/18 2:39 PM, Boris Zbarsky wrote:
> I will say that I personally am extremely concerned about too-broad
> scoping getting baked into the implementation and consumers and hence
> making it difficult to ship other features in the future, change process
> models, improve user privacy via efforts like Firefox's containers, etc.
To give a simple example,
> I will say that I personally am extremely concerned about too-broad
> scoping getting baked into the implementation and consumers and hence
> making it difficult to ship other features in the future, change process
> models, improve user privacy via efforts like Firefox's containers, etc.
https://inexorabletash.github.io/web-locks/#security-scope seems to
assume that the set of partitions is the same for all "storage
facilities" and "communication channels", which may well not be true in
general, depending on a UA's actual goals.
-Boris
Joshua Bell
Jun 28, 2018, 3:35:37 PM6/28/18
to Boris Zbarsky, blink-dev
On Thu, Jun 28, 2018 at 11:39 AM Boris Zbarsky <bzba...@mit.edu> wrote:
I believe the Firefox status at the moment is that we're not clear on
exactly what the proposed scoping is in various important cases, which
is making it hard to evaluate whether it makes sense, which is making it
hard to decide what we think about the proposal. Which is why there's
been no followup on our standards position; we don't have enough
information to evaluate.
Are you able to enumerate those cases with respect to the proposal?
I will say that I personally am extremely concerned about too-broad
scoping getting baked into the implementation and consumers and hence
making it difficult to ship other features in the future, change process
models, improve user privacy via efforts like Firefox's containers, etc.
Do you have suggestions for defining the scope in a way that captures the use cases but does not constrain future features?
A common use case is that, for example, if two tabs are editing the same "document" only one should be doing network<->storage synchronization. I would therefore be fine with equating lock scope with storage scope, although there are of course use cases that don't require the use of storage.
On Thu, Jun 28, 2018 at 11:44 AM Boris Zbarsky <bzba...@mit.edu> wrote:
To give a simple example,
https://inexorabletash.github.io/web-locks/#security-scope seems to
assume that the set of partitions is the same for all "storage
facilities" and "communication channels", which may well not be true in
general, depending on a UA's actual goals.
Noted. To the best of my knowledge, the correspondence is true in Chrome today - that is, if code within an origin writes to a storage API like Indexed DB, or Cache API, then announces this using BroadcastChannel, all recipients of the message would agree that storage has been modified. Web apps may already be making that assumption; I don't believe we've properly defined scoping for either storage or communication in the platform, nor relative to one another.
Darin Fisher
Jun 28, 2018, 4:02:49 PM6/28/18
to Joshua Bell, Boris Zbarsky, blink-dev
On Thu, Jun 28, 2018, 12:35 PM Joshua Bell <jsb...@chromium.org> wrote:
On Thu, Jun 28, 2018 at 11:39 AM Boris Zbarsky <bzba...@mit.edu> wrote:I believe the Firefox status at the moment is that we're not clear on
exactly what the proposed scoping is in various important cases, which
is making it hard to evaluate whether it makes sense, which is making it
hard to decide what we think about the proposal. Which is why there's
been no followup on our standards position; we don't have enough
information to evaluate.Are you able to enumerate those cases with respect to the proposal?I will say that I personally am extremely concerned about too-broad
scoping getting baked into the implementation and consumers and hence
making it difficult to ship other features in the future, change process
models, improve user privacy via efforts like Firefox's containers, etc.Do you have suggestions for defining the scope in a way that captures the use cases but does not constrain future features?A common use case is that, for example, if two tabs are editing the same "document" only one should be doing network<->storage synchronization. I would therefore be fine with equating lock scope with storage scope, although there are of course use cases that don't require the use of storage.
I suppose one could approximately think of a lock as shared memory. From that viewpoint, storage scope is sensible?
-Darin
On Thu, Jun 28, 2018 at 11:44 AM Boris Zbarsky <bzba...@mit.edu> wrote:To give a simple example,
https://inexorabletash.github.io/web-locks/#security-scope seems to
assume that the set of partitions is the same for all "storage
facilities" and "communication channels", which may well not be true in
general, depending on a UA's actual goals.Noted. To the best of my knowledge, the correspondence is true in Chrome today - that is, if code within an origin writes to a storage API like Indexed DB, or Cache API, then announces this using BroadcastChannel, all recipients of the message would agree that storage has been modified. Web apps may already be making that assumption; I don't believe we've properly defined scoping for either storage or communication in the platform, nor relative to one another.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j4azFtRYiXfLP%3Dj-4RHBaJS2%2BUd8tRwfQ-iRX1SO85exA%40mail.gmail.com.
Boris Zbarsky
Jun 28, 2018, 4:10:19 PM6/28/18
to Joshua Bell, blink-dev
On 6/28/18 3:35 PM, Joshua Bell wrote:
> Are you able to enumerate those cases with respect to the proposal?
The main concern I personally have is that the proposal assumes that
> Are you able to enumerate those cases with respect to the proposal?
there is only one partitioning. This is demonstrably false for cookies
(e.g. they ignore scheme and nothing else does) and might become false
for other things in a world in which (some) things are double-keyed.
I don't have a clear list of cases; this is an area of active research
and experimentation.
> Do you have suggestions for defining the scope in a way that captures
> the use cases but does not constrain future features?
Based on a conversation earlier today with, it seems that my concern
boils down to this. The proposal is for abstract locks which are not
tied to particular features. This has obvious desirable qualities, but
requires that the lock scope match the scope of whatever you're locking.
And since you don't know what you're locking, the scopes of all the
things need to match.
So it's possible that the right answer is to be more explicit about what
you plan to lock with a given lock so that it can be scoped appropriately.
It's also possible that the right answer is to make browsers only have
one scope. Again, it's not clear to me that this interacts well with
some desirable privacy features[1].
> Noted. To the best of my knowledge, the correspondence is true in Chrome
> today
But that's my point: this seems to be assuming details about how Chrome
works today. And these details may not be true for other browsers
today, much less other browsers in the future...
> I don't believe we've properly defined scoping for either storage or
> communication in the platform, nor relative to one another.
tool that makes it look like that scoping is defined (by explicitly
giving them guarantees that a lock held will lock out other things
within the relevant scope), then we should attempt to define these things.
Ben Kelly pointed out that BroadcastChannel already has this problem to
some extent, in that you could try to build a synchronization setup on
top of it. Which is true, but it's a lot easier to write off failures
of that to correspond to storage scoping as "yeah, we don't guarantee
that" than it would be with web locks, which are explicitly meant to
guarantee things work right.
-Boris
[1] Let me give a concrete example. Say a page at foo.com includes an
iframe from bar.com. bar.com is attempting to track users. A browser
could try to prevent this by giving that iframe its own storage
partition that's separate from other bar.com storage. This is
sufficient to deal with the "user opens a new tab, loads foo.com" case.
Now say user loads bar.com and bar.com then window.open()s foo.com. In
this case the original page and the subframe can communicate with each
other. Synchronously, even. The question is what the storage
partitions should look like.
In an ideal world, the answer might be "well, actually, in the
window.open case they can't communicate", but I suspect that's not
web-compatible. Another answer might be "the storage used for the
bar.com subframe depends on whether there's a toplevel bar.com page in
the same unit of related browsing contexts" or some such. That, too,
could have web compat issues. For example, the storage the subframe
sees would randomly depend on whether you load foo.com in a new tab
yourself or follow a link from a search engine or whatnot.
Note that the threat model here is not "bar.com toplevel should never be
able to access the storage of the bar.com subframe". It clearly can in
the window.open case. The threat model is that if the user opens a tab
that is otherwise entirely unrelated to bar.com then the bar.com in that
tab should not share storage with bar.com in other such tabs. Arguably
shouldn't share BroadcastChannel either.... But if you come from
bar.com itself, then it already knows you're doing that, so all bets are
kind of off.
This is all a bit fuzzy, but the point is that it's not clear so far
what the right model is here, and I am worried about foreclosing options
by shipping an API that makes strong and very exposed assumptions about
what that model is.
Joshua Bell
Jun 28, 2018, 4:49:37 PM6/28/18
to Boris Zbarsky, blink-dev
On Thu, Jun 28, 2018 at 1:10 PM Boris Zbarsky <bzba...@mit.edu> wrote:
Based on a conversation earlier today with, it seems that my concern
boils down to this. The proposal is for abstract locks which are not
tied to particular features. This has obvious desirable qualities, but
requires that the lock scope match the scope of whatever you're locking.
And since you don't know what you're locking, the scopes of all the
things need to match.
So it's possible that the right answer is to be more explicit about what
you plan to lock with a given lock so that it can be scoped appropriately.
To make this concrete: this makes me think of adding a future option such as {lockScope: "storage"}, {lockScope: "communication"}, {lockScope: "agentcluster"} or {lockScope:"cookies"}. (Although the latter would almost certainly not be desirable.)
But I get your point, which is that without any definition here we wouldn't be able to provide guidance on when to use what, and there would be reluctance to provide any definition without constraining future evolution.
> Noted. To the best of my knowledge, the correspondence is true in Chrome
> today
Except cookies, right?
*sigh* Yes, except cookies.
Ben Kelly pointed out that BroadcastChannel already has this problem to
some extent, in that you could try to build a synchronization setup on
top of it. Which is true, but it's a lot easier to write off failures
of that to correspond to storage scoping as "yeah, we don't guarantee
that" than it would be with web locks, which are explicitly meant to
guarantee things work right.
SharedWorker is another example. I'm not sure I'd write off web apps breakage as "we didn't guarantee that", but agreed that it's unclear if we have web compatibility constraints in this space already or not. But I hear your concern that this API would be forcing the issue.
ISTM that implicitly scoping this feature to (non-cookie) storage preserves the usability we want, and there are paths to allow the same primitive to be used if more scopes can be properly defined in the future.
-Boris
[1] Let me give a concrete example.
I just wanted to explicitly thank you for taking the time to write this up. Not quoting the whole thing, but anyone following this thread should read it.
mk...@chromium.org
Jul 2, 2018, 3:49:54 AM7/2/18
to blink-dev, bzba...@mit.edu, Joshua Bell, ann...@annevk.nl
On Thursday, June 28, 2018 at 10:49:37 PM UTC+2, Joshua Bell wrote:
On Thu, Jun 28, 2018 at 1:10 PM Boris Zbarsky <bzba...@mit.edu> wrote:Based on a conversation earlier today with, it seems that my concern
boils down to this. The proposal is for abstract locks which are not
tied to particular features. This has obvious desirable qualities, but
requires that the lock scope match the scope of whatever you're locking.
And since you don't know what you're locking, the scopes of all the
things need to match.
So it's possible that the right answer is to be more explicit about what
you plan to lock with a given lock so that it can be scoped appropriately.To make this concrete: this makes me think of adding a future option such as {lockScope: "storage"}, {lockScope: "communication"}, {lockScope: "agentcluster"} or {lockScope:"cookies"}. (Although the latter would almost certainly not be desirable.)
Perhaps naïvely, I would very much prefer that we not create new mechanisms with cookie-like scoping. Would any of these potential scoping options that go beyond "storage" be worth the complexity to create?
But I get your point, which is that without any definition here we wouldn't be able to provide guidance on when to use what, and there would be reluctance to provide any definition without constraining future evolution.> Noted. To the best of my knowledge, the correspondence is true in Chrome
> today
Except cookies, right?*sigh* Yes, except cookies.
Ben Kelly pointed out that BroadcastChannel already has this problem to
some extent, in that you could try to build a synchronization setup on
top of it. Which is true, but it's a lot easier to write off failures
of that to correspond to storage scoping as "yeah, we don't guarantee
that" than it would be with web locks, which are explicitly meant to
guarantee things work right.SharedWorker is another example. I'm not sure I'd write off web apps breakage as "we didn't guarantee that", but agreed that it's unclear if we have web compatibility constraints in this space already or not. But I hear your concern that this API would be forcing the issue.ISTM that implicitly scoping this feature to (non-cookie) storage preserves the usability we want, and there are paths to allow the same primitive to be used if more scopes can be properly defined in the future.
This sounds right to me as a first step. As Darin noted above, locks boil down to something like an implicit shared-memory mechanism. Treating that mechanism in the same way that we treat the rest of an origins' storage seems pretty reasonable to me. That is, I could imagine that the specification's lock manager could be tied to a site storage unit, and that the behavior in the cases Boris raised earlier in the thread would be governed by the ways in browsers tied a given document to a site storage unit. If two documents share a storage unit, they'd share a lock manager, and therefore locks. If they don't share a storage unit, they wouldn't share locks. Does that sound like a reasonable limitation, Boris?
I take the larger point, however: there's a lot of diversity between browsers at the moment regarding the ways in which storage data and communication channels are available between contexts. It would be worth our collective time to step back and write down a coherent set of concepts that would allow us to explain what we'd like to see happen in a way that helps us reduce that diversity over time. (CCing Anne, as I imagine Storage would be a good place for that kind of work)
I don't think that we need to wait for that work to complete before shipping this feature with conservative scoping equivalent to non-cookie storage. The order of magnitude error-rate reduction from the origin trial is significant, and outweighs in my mind the risk that we'll get the scoping wrong around the edges. We can further reduce that risk by ensuring that we take a conservative stance regarding those edge cases (for instance, Chrome should refuse to share locks between a top-level `bar.com` and a `bar.com` nested in `foo.com` if the user has chosen to block third-party cookies and site data).
LGTM1 to ship.
-mike
Boris Zbarsky
Jul 3, 2018, 3:10:28 PM7/3/18
to Joshua Bell, blink-dev
On 6/28/18 1:49 PM, Joshua Bell wrote:
> SharedWorker is another example. I'm not sure I'd write off web apps
> breakage as "we didn't guarantee that"
For existing things, sure. I was talking about people creating new
> SharedWorker is another example. I'm not sure I'd write off web apps
> breakage as "we didn't guarantee that"
sites that try to rely on that guarantee and discovering it does not hold.
> ISTM that implicitly scoping this feature to (non-cookie) storage
> preserves the usability we want, and there are paths to allow the same
> primitive to be used if more scopes can be properly defined in the future.
scoped in a consistent-with-each-other way in browsers. Which seems
like a reasonable thing to want, though I very much doubt any specs
actually come out and say it.
This spec would definitely want to explicitly say that's what the
scoping is.
-Boris
Joshua Bell
Jul 3, 2018, 4:01:12 PM7/3/18
to Boris Zbarsky, blink-dev
On Tue, Jul 3, 2018 at 12:10 PM Boris Zbarsky <bzba...@mit.edu> wrote:
On 6/28/18 1:49 PM, Joshua Bell wrote:
> ISTM that implicitly scoping this feature to (non-cookie) storage
> preserves the usability we want, and there are paths to allow the same
> primitive to be used if more scopes can be properly defined in the future.
That seems OK to me if we're very certain that all non-cookie storage is
scoped in a consistent-with-each-other way in browsers. Which seems
like a reasonable thing to want, though I very much doubt any specs
actually come out and say it.
Yep. Lots of work including https://github.com/whatwg/storage/issues/18
This spec would definitely want to explicitly say that's what the
scoping is.
Agreed. I filed https://github.com/inexorabletash/web-locks/issues/45 to track it, and will get to it soon.
Rick Byers
Jul 3, 2018, 6:37:50 PM7/3/18
to Joshua Bell, Boris Zbarsky, blink-dev
Sounds like there's a good path forward here to likely interop. LGTM2 to ship.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j4yGGBUiYWdH5o_xH3QTeSPg7rA0%3D9rKt--D-8o13jAvg%40mail.gmail.com.
Yoav Weiss
Jul 4, 2018, 1:45:47 AM7/4/18
to Rick Byers, Joshua Bell, Boris Zbarsky, blink-dev
LGTM3
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY89o3qTezegKjym0ZdRLrhpPyxOXL95EyarRyE_648%3DTg%40mail.gmail.com.
Anne van Kesteren
Jul 25, 2018, 8:31:39 AM7/25/18
to Darin Fisher, Joshua Bell, Boris Zbarsky, blink-dev
On Thu, Jun 28, 2018 at 10:02 PM, Darin Fisher <da...@chromium.org> wrote:
> I suppose one could approximately think of a lock as shared memory. From
> that viewpoint, storage scope is sensible?
As long as you don't equate shared memory here with SharedArrayBuffer,
> I suppose one could approximately think of a lock as shared memory. From
> that viewpoint, storage scope is sensible?
which has a very different scope. 😊
(Another issue here is that some browsers double key third-party
(<iframe>) storage.)
--
https://annevankesteren.nl/
Reply all
Reply to author
Forward
0 new messages