ep149 Monthly Platform 202404
- published_at
- 2024-04-27
- guest
- @myakura
- toc
-
headings
Theme
第 149 回のテーマは 2024 年 4 月の Monthly Platform です。
Show Note
Chrome 動向
Stable: 124
Updates
-
New in Chrome 124
- https://developer.chrome.com/blog/new-in-chrome-124
- Use declarative shadow DOM in JavaScript
- WebSocket Stream API
- View transitions improvements
- And more!
- Further reading
- Subscribe
- Chrome 124 | Release notes
- What's new in DevTools, Chrome 124
-
Chrome 125 beta
- https://developer.chrome.com/blog/chrome-125-beta
-
CSS
- CSS Anchor Positioning
- CSS stepped value
functions-round(),mod(), andrem() - Remove discontinuity for Oklab and Oklch colors with lightness of nearly 100% or 0
- Used color scheme root scrollbars
-
HTML
- Keyboard-focusable scroll containers
- Declarative shadow DOM serialization
-
Web APIs
- Additions to the Attribution Reporting API
- The Compute Pressure API
- Accept HTTP(S) URLs when constructing WebSocket
- Extending Storage Access API (SAA) to non-cookie storage
- FedCM CORS requirement on ID assertion endpoint
- Interoperable mousemove default action
- Updates to the Shared Storage API
-
Chrome Apps
- Direct Sockets API in Chrome Apps
-
New origin trials
- FedCM Button Mode API and Use Other Account API
- Foldable APIs
- Media Previews opt-out
- Deprecation trial for prefixed HTMLVideoElement Fullscreen properties and methods
- Skip preload scanning
-
Deprecations and removals
- Remove "window-placement" alias for permission and permission policy "window-management"
- Removal of Enterprise policy: NewBaseUrlInheritanceBehaviorAllowed
- Removal of prefixed HTMLVideoElement Fullscreen properties and methods
- What's New in WebGPU (Chrome 124)
Intents
- Ship: Declarative shadow DOM serialization
- Ship: CSS Stepped Value Functions
- Ship: Attribution Reporting Feature Bundle: Additional Verbose Debug Reports, Further Gating Source Verbose Debug Reports, Splitting the Attribution Rate Limit
- Ship: CSS Anchor Positioning
- Ship: FedCM: Credentialed requests will no longer send SameSite=Strict cookies
- Ship: Gamepad API Trigger-Rumble Extension
- Ship: Support Cross-Origin Shared Storage Worklets
-
Ship:
URL.parse() - Ship: WebGLObject Web IDL superinterface
-
Ship: Stable Bare Declarations (@nest)
- https://groups.google.com/a/chromium.org/g/blink-dev/c/prg4CN0eEGg
- CSS Nesting の shifting up (hoisting) を解決仕様とする試み
- ネストしたブロックの後にくる通常の宣言を包むためのルール
- CSSWG や他 standard-position で議論が散らばっている
- Prototype and Ship: toJSON for GeolocationCoordinates and GeolocationPosition
- Prototype: Document-Isolation-Policy
- Prototype: ::scroll-marker and ::scroll-markers for Carousel
- Prototype: Future browsing context group dependency hint
- Prototype: headingstart attribute.
-
Prototype: Importmap integrity
- https://groups.google.com/a/chromium.org/g/blink-dev/c/O2UR3kb-HcI
- Yoav Weiss "Trying to gather a web developer signal - do y'all care about subresource integrity for dynamic imports?"
- https://twitter.com/yoavweiss/status/1778067431417954803
- Prototype: Storage Access API Headers
- Prototype: Third-party Cookie Grace Period Opt-Out
- Prototype: Web Install API
-
Prototype: Audio Output Devices API:
setDefaultSinkId() - Prototype: Web Translation API
- Experiment: Foldable APIs (combo of Device Posture and Viewport Segments APIs)
- Experiment: Protected Audience Bidding & Auction Services
- Experiment: FedCM Bundle 6: Continuation API, Scope API, Scaling Well-Known, Custom account labels
- Web-Facing Change PSA: Support "color-interpolation: linearrgb" on SVG gradients
- FYI: Shared Storage API data storage limits updated
- Extend Reverse Origin Trial: Trial for SharedArrayBuffers in non-isolated pages on Desktop platforms
- PSA: Direct Sockets in Chrome Apps
- Ready for Developer Testing: Media Previews opt-out
- Q1 2024 Summary from Chrome Security
Other
-
web.dev
-
blog
- New to the web platform in March
- Learning from you about AI
- Introducing Learn JavaScript
- The align-content property for block layouts is now part of Baseline
- The Intl.Segmenter object is now part of Baseline
-
article
-
CSS color-scheme-dependent colors with
light-dark() - What is Artificial Intelligence?
- Ethics and AI
- Meet the Web.dev AI Team
- Upgrade your site search: Contextual answers with generative AI
- Play the Chrome dino game with your gamepad
-
CSS color-scheme-dependent colors with
-
blog
- google for developers
-
google developer japan blog
- Google Developers Japan: パスキーハッカソンを開催します
-
chrome developer blog
- The fetchLater API Origin Trial
- Goodbye JS Profiler, profiling CPU with the Performance panel
- Version rollbacks in the Chrome Web Store Developer Dashboard
- Navigation types now available in CrUX
- Fun & Powerful: Intro to Chrome DevTools
- Access to MIDI devices now requires user permission
- Origin trial for Foldable APIs
- What's happening in Chrome Extensions?
- The Private Network Access (PNA) for non-secure contexts deprecation trial is ending-implement the PNA permission prompt
-
chromium blog
- Chromium Blog: Fighting cookie theft using device bound sessions
- canary
-
google security blog
- Google Online Security Blog: Address Sanitizer for Bare-metal Firmware
-
Google Online Security Blog: Google Public DNS's approach to fight against cache poisoning attacks
- https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html
- DNS Cache poisoning 対策のガイド
- Query Source Port / Query ID の Randomize
- DNS Cookie
- Case Randomize
- DNS over TLS
- DNS 運用者は最低でもどれか一個はやったほうがいい
-
Google Online Security Blog: Uncovering potential threats to your web application by leveraging security reports
- https://security.googleblog.com/2024/04/uncovering-potential-threats-to-your.html
- Google がどうやって CSP レポートを集めるかの話
- レポートの中からノイズを省いて問題に集中するためのテクニックもある
- HyperLogLog という推定方法で重複 IP をカウントする方法など
- search blog
-
v8
- https://v8.dev/
- The V8 Sandbox · V8
- Justin Fagnani が Google を退職
Firefox 動向
Stable: 125.0.2
Updates
- Firefox 125.0.1, See All New Features, Updates and Fixes
-
Firefox 125 for developers - Mozilla | MDN
- https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/125
align-contenton block- Intl.Segmenter
- Popover
- AV1 on EME
- 1892069 - dom.block_download_insecure causes a different file to download from a website
- Switch to Container Tabs - These Weeks in Firefox: Issue 157 - Firefox Nightly News
- Customizing Reader Mode - These Weeks in Firefox: Issue 158 - Firefox Nightly News
-
Wall to Wall Improvements - These Weeks in Firefox: Issue 159 - Firefox Nightly News
- https://blog.nightly.mozilla.org/2024/04/23/wall-to-wall-improvements-these-weeks-in-firefox-issue-159/
- Brotli の展開をメインスレッドから外したら 50 パーセンタイルで LCP が 10% 向上した
-
Exploring improvements to the Firefox sidebar - Firefox Nightly News
- https://blog.nightly.mozilla.org/2024/04/15/exploring-improvements-to-the-firefox-sidebar/
- 縦タブなどサイドバーの機能強化を検討しているらしい
- Firefox Nightly Now Available for Linux on ARM64 - Firefox Nightly News
Intents
- Ship: CSS zoom property, Element.currentCSSZoom (and partially unship -moz-transform)
- Prototype: CloseWatcher
- Prototype: TextEvent and textInput event
- Prototype: Relative Color Syntax
- Prototype: CSS Margin rules
- Prototype: Scoped Styles (@scope)
- Prototype: @starting-style rule in CSS Transitions Level 2
-
Unship:
<marquee>start/finish/bounce events - Unship: [mathml] Automatic vertical centering of some basic binary operators
-
PSA: using
fetch()or newXMLHttpRequest()from Firefox's privileged (chrome) code will now not send cookies / credential information by default - ESMification: Out-of-tree migration
Newsletter
- Performance Testing Newsletter, Q1 Edition
- Engineering Effectiveness Newsletter (February/March 2024 Edition)
- Firefox WebDriver Newsletter - 125 - Firefox Developer Experience
MDN / Open Web Docs
- Open Web Docs Impact and Transparency Report 2023
- MDN が Web Awesome という Kickstarter のバナー出してる
- Setting up service workers on Vultr | MDN Blog
- CSS containment
Standard Position
- 今月 Close された Issue と PR ものをみる
-
positive
-
getHTML()and the serializable concept · Issue #1006 · mozilla/standards-positions - MediaRecorder: Support mp4 container with avc1 and mp4a.40.2 codecs for MediaRecorder · Issue #996 · mozilla/standards-positions
- [css-color-adjust-1] Root non-overlay scrollbars used color scheme · Issue #995 · mozilla/standards-positions
- CSS margin-trim property · Issue #994 · mozilla/standards-positions
-
-
negative
-
autocomplete=device-eidand=device-imei· Issue #1002 · mozilla/standards-positions
-
Other
- Google's Protected Audience Protects Advertisers (and Google) More Than It Protects You
- Protected Audience Privacy Analysis
- Empowering Choice: Firefox Partners with Qwant for a Better Web
- Rapidly Leveling up Firefox Security - Mozilla Security Blog
- Porting a cross-platform GUI application to Rust - Mozilla Hacks - the Web developer blog
- Prototype even faster with the Gradio UI for Figma component library - Mozilla Hacks - the Web developer blog
- Servo and SpiderMonkey - Servo, the embeddable, independent, memory-safe, modular, parallel web rendering engine
- Bug 1871963: Implement zstd content-encoding support
Safari 動向
Stable: 17.4
Updates
-
Help us invent CSS Grid Level 3, aka "Masonry" layout
- https://webkit.org/blog/15269/help-us-invent-masonry-layouts-for-css-grid-level-3/
- Masonry の議論が難航しており、開発者のフィードバックを求めている
- 特にこれを Display Grid の派生と考えるかどうか
- またこれを用いるモチベーションがあるかどうか
- Optimizing WebKit & Safari for Speedometer 3.0
-
Release Notes for Safari Technology Preview 192
- https://webkit.org/blog/15260/release-notes-for-safari-technology-preview-192/
- Added support for View Transitions. (276426@main) (123128491)
- Added support for MSE in workers. (276389@main) (123052315)
- Added support for
URL.parse(). (276656@main) (125376520) - Added support for shadowRootDelegatesFocus and shadowRootClonable to template. (276631@main) (125401993)
- Updated to use the web extension architecture in open-source WebKit code. Web extension authors are encouraged to test your extensions and report issues. (123908710)
-
Release Notes for Safari Technology Preview 193
- https://webkit.org/blog/15375/release-notes-for-safari-technology-preview-193/
- Fixed inconsistent output of Function.prototype.toString for accessor properties. (276904@main) (125739577)
- Added support for PopStateEvent's hasUAVisualTransition. (277001@main) (125849073)
Standard Positions
- 今月 Close されたものをみる
-
support
- Digital Credentials API · Issue #332 · WebKit/standards-positions
-
oppose
- Page Embedded Permission Control · Issue #270 · WebKit/standards-positions
Other
-
www.nhl.com - design is broken · Issue #135984 · webcompat/web-bugs
- https://github.com/webcompat/web-bugs/issues/135984
- Safari で JPEG2000 のサポートを削除したところ nhl.com が壊れた
Edge 動向
Stable: 124
Updates
- Introducing the Edge 2024 web platform top developer needs dashboard - Microsoft Edge Blog
- Microsoft Edge - 2024 web platform top developer needs
- Improving text editing on the web, one feature at a time - Microsoft Edge Blog
Other
- Browser Security Bugs that Aren't: JavaScript in PDF - text/plain
- A Slow 10K - text/plain
- Mouse Gestures in Edge - text/plain
- We've just launched Microsoft Store installers for web
WHATWG/W3C 動向
Draft
- Recommendation
- Proposed Recommendation
- Candidate Recommendation
- Working Draft
- First Public Working Draft
Open/UI
Other
- Vision for W3C
- Breakouts Day 2024 Recap
-
Warn that the XML syntax is not recommended by sideshowbarker · Pull Request #10239 · whatwg/html
- https://github.com/whatwg/html/pull/10239
- XML 構文での仕様はメンテされておらず推奨されないことが明記された
- Declarative Shadow DOM for XML Syntax · Issue #10237 · whatwg/html
-
Mark Nottingham: "On the Shinkansen, hyperventilating..." - techpolicy
- https://techpolicy.social/@mnot/112228877734080748
- 広島で開催の AC ミーティングに向かう新幹線の中で mnot が見た光景
TC39 動向
Meeting
- 2024-02
- TC39 100th Meeting
- WinterCG の作業を Ecma の TC55 でやりそう
-
Intl.MessageFormat: I have some questions
- MF2 が Unicode CLDR で策定されている
- 策定が Unicode で終わるまでまつかどうかの議論
-
ArrayBuffer transfer for stage 4
- Stage 4
- revisit Promise.try
-
Uint8Array Base64 for stages 2.7 and 3
- Static から Prototype に
- Stage 3
-
ESM Phase Imports for stage 1
- https://docs.google.com/presentation/d/1Vxx9cohxn9MgvLL3607LFDBAngcyQUb8PlaPo1c7EsU/edit#slide=id.p
- Source phase import は WASM のコンストラクタに渡すモチベ
- そこで JS の Module をとりたい
- ESM のモジュールを読み込み Worker に渡せる
- Stage 1
-
"Discard" (void) Bindings for stage 1
- 捨てるための変数を void にする
- destructuring とかで便利
- Stage 1
Proposals Diff
- https://github.com/tc39/proposals/compare/main@{2024-02-01}...main@{2024-03-01}
- https://tc39.github.io/beta/
-
0->1
- Iterator Unique
- Micro and mini waits
- Iterator chunking
- ESM Phase Imports
- Function and Object Literal Element Decorators
- Discard void Bindings
-
1->2
- Joint Iteration
- Promise.try
- ShadowRealm
- Improved Escapes for Template Literals
- 2->2.7
-
2.7->3
- Uint8Array to/from Base64
-
3->4
- ArrayBuffer transfer
-
Inactive
- Math Extension
- Generator Arrow function
- Math.signbit
New Proposals
- proposal-signals/proposal-signals: A proposal to add signals to JavaScript.
Other
- WinterCG
WinterCG 動向
- Meeting や大きな動きがあった月だけやる
Meeting
- 2024-04-04 meeting · Issue #64 · wintercg/admin
IETF 動向
IETF 119
-
HTTPWG
- https://datatracker.ietf.org/meeting/119/session/httpbis/
- https://datatracker.ietf.org/meeting/119/materials/minutes-119-httpbis-00
-
Cookiebis
- もうすぐ Last Call
-
Unprompted Authentication
- Signature HTTP Authentication Scheme に改名
-
Query Method
- 全然進んでない
-
Resumable Uploads
- だいぶ複雑になってきた
- application/partial-upload を定義
-
Retrofit Structured Fields
- 仕様的にはほぼ終わった
- 実際の作業を再開したい?
-
Cache Group
- Group 全体の revalidate は難しいし必要性もわからないのでやめる
- それ以外 WGLC できそう
-
Compression Dictionary Transport
- いくつか Issue あり
-
HTTP/3 On Streams
- やっぱり UDP 通らないところがあるから HTTP/3 over TCP が必要そう
- 割と賛成が多そう
-
Reverse HTTP Tunnel
- かなり難しそうだから議論がもっと必要
- QUIC
WG
-
RFC
- RFC 9429 on JavaScript Session Establishment Protocol (JSEP)
- Last Call: draft-ietf-tls-keylogfile-01.txt (The SSLKEYLOGFILE Format for TLS) to Informational RFC
-
Work
- WGLC Review: Connect-TCP from Mike Bishop
- I-D Action: draft-ietf-httpbis-secondary-server-certs-00
- Compression dictionary issues for broader discussion
- I-D Action: draft-ietf-httpbis-sfbis-06.txt
- Meeting
Other
- Review of TLS's ECH HTTP-related I-Ds from Sean Turner on 2024-04-01 (ietf-http-wg@w3.org from April to June 2024)
- Content-Encoding and MITM devices from Patrick Meenan
CDN 動向
Cloudflare
-
Cloudflare Calls: millions of cascading trees all the way down
- https://blog.cloudflare.com/cloudflare-calls-anycast-webrtc/
- WebRTC 用 SFU
- 接続速度のチューニングや疎通など面倒なことを全部やってくれる
- Room の概念はなくアプリ開発者が自由な構成で使える
- Developer Week 2024 wrap-up
-
How we ensure Cloudflare customers aren't affected by Let's Encrypt's certificate chain change
- https://blog.cloudflare.com/shortening-lets-encrypt-change-of-trust-no-impact-to-cloudflare-customers/
- 2024 年 9 月 30 日に IdenTrust とのクロスルートが終わって ISRG Root X1 になる
- これにより古いデバイスで接続できなくなる可能性がある
- CF は No Browser left Behind というポリシーのためこれを許容しない
- そこで LE を選んでない場合は自動で LE 以外の CA から取得するようになる
-
Improving authoritative DNS with the official release of Foundation DNS
- https://blog.cloudflare.com/foundation-dns-launch/
- Cloudflare の権威 DNS 実装が公開された
- An Internet traffic analysis during Iran's April 13, 2024, attack on Israel
- DDoS threat report for 2024 Q1
- Cloudflare named in 2024 Gartner ® Magic Quadrant ™ for Security Service Edge
Fastly
-
Let's Encrypt Chain of Trust Impact
- https://www.fastly.com/blog/lets-encrypt-chain-of-trust-impact
- 6/6 にクロスルートの参照が停止
- One Fastly - Unified Login Experience
-
BoringSSL to make TLS more secure
- https://www.fastly.com/blog/boringssl-to-make-tls-more-secure
- OpenSSL から BoringSSL へ移行した話
- よりシンプルで安全になった
- 細かい差異をカバーしてより優れた実装に置き換わった
- バージョンがないのでアップデートの分析が大変だがその価値はあった
-
TLS: More secure; always fast
- https://www.fastly.com/blog/tls-more-secure-always-fast
- BoringSSL 移行に合わせて Neverbleed を導入した
- パフォーマンスが劣化しないように非同期化などでチューニングした話
Other
- Latency numbers every frontend developer should know - Vercel
セキュリティ動向
- Design choices for post-quantum TLS
-
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
- https://openwall.com/lists/oss-security/2024/03/29/4
- xz に巧妙なバックドアが仕込まれていた
- xz/liblzma: Bash-stage Obfuscation Explained - gynvael.coldwind//vx.log
-
GitHub comments abused to push malware via Microsoft repo URLs
- https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/
- GitHub 経由でマルウェアが配布されていた
- URL が github.com/microsoft/ 以下になっているが、これは GitHub の仕様を悪用したもの
- コメントでアップロードされたファイルにレポジトリ名がついてしまう
- GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining - Avast Threat Labs
- NIST SP 800-63B への補遺が出ました〜パスキーの追加です - @\_Nat Zone
- CA Incident Transparency and Public Audits
周辺動向
- April Conference News | Igalia
- In-App Browsers: The worst erosion of user choice you haven't heard of - Open Web Advocacy
- Considerations for AI Opt-Out
- Chromium Backend Beta - Wolvic
Cookie 動向
-
Update on the plan for phase-out of third-party cookies on Chrome
- https://privacysandbox.com/intl/en_us/news/update-on-the-plan-for-phase-out-of-third-party-cookies-on-chrome/
- 3rd Party Cookie Deprecation の延期。
- 未定だが少なくとも 2024 年内の deprecation 完了はない。
イベント
-
5 月
- 14: Google I/O 2024
- 21-23 Microsoft Build
-
6 月
- 3-5: Web Engine Hackfest
- 10: WWDC
Wrap Up
-
Chrome
-
124
- setHTMLUnsafe/parseHTMLUnsafe
- WebSocketStream
- ReadableStream async iteration
- HTTP priority header
- Sec-CH-UA-Form-Factors
- PWA install criteria がなくなる
- document render blocking
- dcc にリリースノートが登場
-
125 Beta
- CSS Anchor Positioning
- CSS
round()/mod()/rem() - Compute Pressure API
-
Ship
- CSS
round()/mod()/rem() - CSS Anchor Positioning
URL.parse()- Stable Bare Declarations (@nest)
- CSS
-
Prototype
- Document-Isolation-Policy
- headingstart attribute
- Web Install API
- Web Translation API
-
Experiment
- FedCM Bundle 6
-
Chrome Developers
- fetchLater Origin Trial
-
Chromium blog
- Device Bound Session Credentials
-
other blogs
- Google Public DNS approach against cache poisoning
- Google の CSP レポート
- other
-
124
-
Firefox
-
125
- align-content on block
- Intl.Segmenter
- Popover
-
Ship
- CSS zoom
-
Prototype
- Relative Color Syntax
- @scope
- @starting-style
-
Standard Position
-
positive
- DSD serialization
- margin-trim
-
negative
- autocomplete=device-eid/device-imei
-
positive
-
other
- Protected Audience analysis
- zstd
-
125
-
Safari
-
TP 192
- View Transitions
URL.parse()
-
blog
- Masonry layout
-
Standard Position
-
positive
- Digital Credentials
-
negative
- Page Embedded Permission Control
-
positive
-
TP 192
-
Edge
- Edge 2024 web platform developer needs dashboard
-
W3C/WHATWG
- Visions for W3C Note
-
Other
- XHTML is not recommended
-
TC39
- 100th meeting
- TC55 WinterCG
- ArrayBuffer transfer stage 4
- revisit Promise.try
- Uint8Array Base64 stage 3
- ESM Phase Imports stage 1
- void bindings stage 1
- proposal-signals
- WinterCG
-
IETF
- Cookiebis もうすぐ Last Call
- Query Method 全然進んでない
- Resumable Uploads 複雑になってきた
- Retrofit SFV 仕様はほぼ完了
- Cache Group WGLC 間近
- HTTP/3 on TCP の提案
- Reverse HTTP Tunnel 難しそう
-
CDN 動向
- CF Let's Encrypt クロスルート終了に向けた取り組み
- CF Foundation DNS 公開
- CF Gartner Magic Quadrant
- Fastly BoringSSL 移行
- Fastly Neverbleed 導入
-
セキュリティ動向
- xz バックドア
- GitHub 経由でマルウェア
-
周辺動向
- Wolvic Chromium backend beta
-
Cookie 動向
- 3PCD 延期