ep70 Monthly Web 202007
- published_at
- 2020-08-11
- guest
- @shqld
- toc
-
headings
Theme
第 70 回のテーマは 2020 年 7 月の Monthly Web です。
Show Note
Chrome 動向
- Stable: 84
-
Web.Dev Live
- https://web.dev/live/
- 3 日間時間をずらして実施
- 全部録画
-
web.dev LIVE wrap-up
- https://web.dev/live-wrap-up/
- Web Vitals
- tooling.report
- Privacy and security on the web
- Building a web with powerful capabilities
- What's new in Chrome DevTools and Lighthouse 6.0
- Chrome Devtools: new Issues tab, color deficiencies emulator, and Web Vitals support
- Lighthouse 6.0: New metrics, Core Web Vitals lab measurements, an updated Performance score, and new audits
-
Blink On
- バーチャル開催のアナウンス
- When: November 17-19, 2020
- Where: Virtual - given that BlinkOn 13 was supposed to be held in Google Kirkland and that, historically, the majority of our attendees have been from the AMER region, this event will be hosted in the Pacific Time Zone
- https://groups.google.com/a/chromium.org/g/blink-dev/c/zNDLekIrSQE/
-
Updates
-
New in Chrome 84
- https://developers.google.com/web/updates/2020/07/nic84
- Users can start common tasks within your app, with App Icon Shortcuts.
- The Web Animations API adds support for a slew of previously unsupported features.
- Wake lock can prevent the screen from dimming or locking.
- The Content Indexing API helps surface content that is available offline.
- There are new origin trials for idle detection and Web Assembly SIMD.
- Same Site Cookie policy changes are starting to roll out again.
-
Origin Trials
- Idle detection
- Web Assembly SIMD
-
Chromium Blog: Chrome 85: Upload Streaming, Human Interface Devices, Custom Properties with Inheritance and More
- https://blog.chromium.org/2020/07/chrome-85-upload-streaming-human.html
- Fetch Upload Streaming
- WebHID API
- Windows Support for getInstalledRelatedApps()
- @property
-
Origin Trials
- Declarative Shadow DOM
- RTCRtpEncodingParameters.adaptivePtime Property
- Portals
- App Shortcuts
- Autoupgrade Mixed Content
- AVIF Image Decode
- Changes to Persistent Storage for Installed Web Apps
-
CSS
- Color Adjust: Remove 'only' and Support 'dark' or 'light' for color-scheme"
- content-visibility Property
- counter-set
- Event Timing API
- Expose Picture-in-Picture Window in leavepictureinpicture event
- Named pages with page-orientation
- Referrer Policy: Default to strict-origin-when-cross-origin
- Update Fallback Content's Behavior for ImageInputType and HTMLImageElement
- Update the Behavior of the "disabled" Attribute for HTMLLinkElement
- Web Bluetooth writeValueWithResponse() and writeValueWithoutResponse()
- WebAssembly BigInt Integration
- WebAuthn getPublicKey(), getPublicKeyAlgorithm() and getAuthenticatorData()
-
JavaScript
- JavaScript Logical Assignment Operators
- Promise.any() and AggregateError
- String.prototype.replaceAll()
-
Deprecations, and Removals
- AppCache Removal Begins
- Reject insecure SameSite=None cookies
-
Deprecations and removals in Chrome 85
- https://developers.google.com/web/updates/2020/07/chrome-85-deps-rems
- AppCache Removal Begins
- Reject insecure SameSite=None cookies
-webkit-boxquirks from-webkit-line-clamp
-
A new default Referrer-Policy for Chrome: strict-origin-when-cross-origin
- https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default
- referrer のデフォルトが no-referrer-when-downgrade から strict-origin-when-cross-origin に変わる
- cross-origin へは URL ではなく Origin のみが送られるように
- Chromium Blog: More secure and convenient Autofill coming to Chrome
- Chromium Blog: Using Chrome to generate more accessible PDFs
- Ten modern layouts in one line of CSS
- Pixel-perfect rendering with devicePixelContentBox
- Official Google Webmaster Central Blog: The Rich Results Test is out of beta
- It's time to lazy-load offscreen iframes!
- Human interface devices on the web: a few quick examples
- Streaming requests with the fetch API
- The requestVideoFrameCallback() method
- @property: giving superpowers to CSS variables
- Relating site speed and business metrics
- Service worker caching and HTTP caching
- Handling navigation requests
- Reading and writing files and directories with the browser-nativefs library
- Performance monitoring with Lighthouse CI
- Capture Keys with the Keyboard Lock API
- Building a PWA at Google, part 1
- Referer and Referrer-Policy best practices
- Web on Android
- content-visibility: the new CSS property that boosts your rendering performance
-
New in Chrome 84
-
Intents
-
Ship: Document-Policy header
- https://groups.google.com/a/chromium.org/g/blink-dev/c/Za159T1QOek/
- Feature Policy のドキュメント固有の機能を切り出したもの
- sync xhr, image size, document size などのコントロール
- これを切り出してから Feature Policy は Permission Policy になった
- Ship: Altitude/Azimuth for PointerEvents
-
Ship: Cross-site back-forward cache on Android
- https://groups.google.com/a/chromium.org/g/blink-dev/c/S9qRFx4ozXk/
-
短期:
- M86 で cross-origin ナビゲーションをサポート
- 次のマイルストーンで same-origin ナビゲーションをサポート
-
長期間:
- BFCache のヒット率をさらに高めるための機能のサポートを追加し、デスクトッププラットフォームのサポートを追加します
- Safari と Firefox を使用して、相互運用性を改善し、動作を標準化します。
- Android Chrome のみ、 Web View もなし
- DevTools を介してページがバックフォワードキャッシュから復元されなかった理由を公開し、 Web 開発者が Web サイトを最適化する方法に関する情報を提供することも計画しています。
- Cache-Control:no-store で bfcache を無効にできる
- JS-based なオプトアウト API も策定?中
- Ship: EME persistent-usage-record session
- Ship: WebAuthn PRF extension
- Ship: CSS ::marker pseudo-element
- Ship: Move location.fragmentDirective to document.fragmentDirective
- Ship: Subresource prefetching+loading via Signed HTTP Exchange
- Ship is required for Element.openOrClosedShadowRoot?
- Ship: percent-encode U+0020 SPACE when in URLs computed by custom protocol handlers
- Ship: New referrer policy default of strict-origin-when-cross-origin
-
Ship: Add support for encoding CBR audio files with
MediaRecorder. - Prototype and Ship: FetchEvent.handled
- Implement and Ship: ParentNode#replaceChildren API
- Prototype and Ship: toJSON() for MediaSettingsRange
- Prototype: Re-Enable SharedArrayBuffer (SAB) on Android gated behind COOP/COEP
-
Implement and Ship: Pause HTML parser while loading stylesheets in
<head> - Implement and Ship: percent-encode the delete character when parsing URLs
- Prototype and Ship: Change MediaSettingsRange & PhotoCapabilities interfaces to dictionaries
- Prototype: Secure payment confirmation
- Prototype: jxl Content-Encoding
- Implement: Web Share API (Windows & Chrome OS)
- Prototype: Storage Pressure Event
- Prototype: Make system color keywords compute to themselves
- Prototype: New @font-face descriptors to override font metrics
- Prototype: IndexedDB putAll
- Prototype: VisibilityStateEntry
- prototype: various features of WebAuthn level two and CTAP2.1
-
Experiment: Declarative Shadow DOM
- https://groups.google.com/a/chromium.org/g/blink-dev/c/DuvhXyYo7Pc
- Shadow DOM の宣言的記法
-
Extend Origin Trial: ForceLoadAtTop
- https://groups.google.com/a/chromium.org/g/blink-dev/c/yG0JzbEUoX4/
- document policy で scroll to text fragment の無効化
- Deprecate and Remove: Comma separator in iframe allow attribute
-
Deprecate and Remove:
<meta name=referrer content=list,of,policies> - Intent stage "Evaluate readiness to ship": web-share permission policy
- web-platform-tests quarterly update - Q2 2020
- PSA: A new project list page for Monorail
-
Ship: Document-Policy header
-
v8
-
V8 release v8.5 · V8
- https://v8.dev/blog/v8-release-85
- Promise.any and AggregateError
- String.prototype.replaceAll
- Logical assignment operators
- Liftoff shipped on all platforms
- Multi-value support shipped
- Support for JS BigInts
-
V8 release v8.5 · V8
-
Other
- Contributions to Web Platform Interoperability (First Half of 2020) – The AMP Blog
- Official Google Webmaster Central Blog: Prepare for mobile-first indexing (with a little extra time)
Firefox 動向
- Stable: 79
-
Updates
- These Weeks in Firefox: Issue 75
- These Weeks in Firefox: Issue 76
- Firefox Security Newsletter - Q2 2020
-
Intents
-
Ship: Javascript
export * as ns from "mod";syntax - Ship: unprefixed appearance property
- Ship: Animation composite modes
-
Ship: Redirect Tracking Protection (formerly ETP Cookie Purging)
- https://groups.google.com/g/mozilla.dev.platform/c/KUVVAroUv_Y/m/vKULscO_CQAJ
- 1% のみのロールアウトで finch のようなテストをしている
- Ship: CSS overflow:clip
- Prototype: Sanitizer API
-
Prototype: cross-fade
- https://groups.google.com/g/mozilla.dev.platform/c/uJfdlv1qKtQ
- 画像にフィルターなどをクロスフェードでかける関数
- Prototype: prefers-contrast
- Prototype: Payment Handler API
-
Intent to change default try selector from
syntaxtoauto(ACTION NEEDED for try syntax users) -
Unship:
::-moz-focus-outerpseudo-element.
-
Ship: Javascript
-
Other
- Mozilla Joins New Partners to Fund Open Source Digital Infrastructure Research
- Mozilla Puts Its Trusted Stamp on VPN
- Sustainability needs culture change. Introducing Environmental Champions.
- A look at password security, Part I: history and background
- A look at password security, Part II: Web Sites
- A look at password security, Part III: More secure login protocols
- Firefox 79 includes protections against redirect tracking - Mozilla Security Blog
- Latest Firefox rolls out Enhanced Tracking Protection 2.0; blocking redirect trackers by default - The Mozilla Blog
- MDN Web Docs: 15 years young - Mozilla Hacks - the Web developer blog
- Safely reviving shared memory - Mozilla Hacks - the Web developer blog
- Testing Firefox more efficiently with machine learning - Mozilla Hacks - the Web developer blog
- Adding prefers-contrast to Firefox - Mozilla Hacks - the Web developer blog
-
Changes to SameSite Cookie Behavior - A Call to Action for Web Developers - Mozilla Hacks - the Web developer blog
- https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
- Lax by default の話
- Firefox 79: The safe return of shared memory, new tooling, and platform updates - Mozilla Hacks - the Web developer blog
-
Reducing TLS Certificate Lifespans to 398 Days - Mozilla Security Blog
- https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
-
証明書の期限を 825 日から 398 日に短くする 3 つの理由
- 長いとインシデントがあっても対応が遅れる。証明書が 5 年だったころ見つかった MD5 の問題を無くすのに 5 年かかり、最大 3 年だった SHA1 を無くすのに 3 年かかった。
- 期限が長いと、侵害されたときに、 MITM できる期間が長くなる。
- ドメインを手放しても証明書を保持できる。ドメインオーナーが変わっても前のオーナーが持っていた証明書は切れるまで有効なので MITM できる。また SAN に自分が所有してないドメインがある証明書があった場合、それを失効すると全てのドメインに影響が出るため DoS に使える。
- mozilla のルートストアポリシーを更新してこれを適用し、 2020/9/1 には適用する計画らしい。
- New Blog Post on 398-Day Certificate Lifetimes
- Performance Improvements via Formally-Verified Cryptography in Firefox - Mozilla Security Blog
- Extensions in Firefox 79
- Call for Participants - W3C/OGC workshop series on Maps for the Web
Safari 動向
- Stable: 13.1.1
-
Updates
-
Release Notes for Safari Technology Preview 110
- https://webkit.org/blog/10929/release-notes-for-safari-technology-preview-110/
- Added a functional WebRTC VP9 codec (r263734, r263820)
- Allowed registering VP9 as a VT decoder (r263894)
- Added support for freeze and pause receiver stats (r263351)
- Added MediaRecorder.onstart support (r263671, r263896)
- Enabled VTB required low latency code path (r263931)
- Improved UI for PIN entry for security keys
- Keyframe animation with infinite iteration count doesn't show up in the Animations timeline (r263400)
-
Changed to require a
<form>to be connected before it can be submitted (r263624)- connect できてないサーバへの submit はしないという仕様に準拠
- Added referrerpolicy attribute support for
<link>(r263356, r263442) - Allow setting empty host/hostname on URLs if they use file scheme (r263971)
- Allow the async clipboard API to write data when copying via menu action or key binding (r263480)
- Changed to check for mode="showing" to consider a text track as selected in the tracks panel (r263802)
- Implemented relevant simulated key presses for custom ARIA widgets for increment and decrement (r263823)
- Enabled RelativeTimeFormat and Locale by default (r263227)
- Added the capability to call the Storage Access API as a quirk, on behalf of websites that should be doing it themselves (r263383)
- Updated text manipulation to exclude text rendered using icon-only fonts (r263527)
- Added a new text manipulation heuristic to decide paragraph boundary (r263958)
- Enabled referrer policy attribute support by default (r263274)
- Added a tooltip to the icon of resources replaced by a local override explaining what happened (r263429)
- Allow selecting text of Response (DOM Tree) in Network tab (r263872)
- Adjusted the height of title area when Web Inspector is undocked to match macOS Big Sur (r263377, r263402)
-
Release Notes for Safari Technology Preview 111
- https://webkit.org/blog/10967/release-notes-for-safari-technology-preview-111/
- Added an error message if unable to fetch shader source in the Canvas tab (r264045)
- Added the capability to open a popup and get user interaction so we can call the Storage Access API as a quirk, on behalf of websites that should be doing it themselves (r263992)
- Implemented user action specifications for Escape action (r264000)
-
Speculation in JavaScriptCore
- https://webkit.org/blog/10308/speculation-in-javascriptcore/
-
v8 とは異なって、 JIT の最適化を Profiling と Speculation のフェーズに分けて説明してる
- Speculation といいつつ殆んど JIT の話
- Optimizer Chain(?)の全体構成や個々の最適化(手法)も一通り紹介されている
- 結構 V8 とは方向性が違う印象
-
Release Notes for Safari Technology Preview 110
-
Position
- Request for position on Import Conditions
- Requesting a position on Document Policy
- Request for position on Azimuth/Altitude for Pointer Events
- Request for position on "Make system colors compute to themselves"
- Request for Webkit position for Imperative Shadow DOM Distribution API
- Request for position on MediaRecorder constant bitrate audio encoding
-
Other
-
Big updates in Safari 14 with Ronak Shah and Beth Dakin (The Changelog #400) - Changelog
- https://changelog.com/podcast/400
- Safari の人が Podcast で Safari14 の話をしている
-
Big updates in Safari 14 with Ronak Shah and Beth Dakin (The Changelog #400) - Changelog
Edge 動向
- Stable:
-
Updates
- Introducing the Microsoft Edge enterprise roadmap and release schedule
- Introducing the Storage Access API
- Chakra
-
Other
- Revealing Passwords – text/plain
- Web Proxy Auto Discovery – text/plain
- Introducing the Microsoft Edge enterprise roadmap and release schedule
- Reducing distractions with quiet notification requests
- Multitasking improvements in Windows 10 and Microsoft Edge
- What's new in Microsoft Edge – July 2020 / Microsoft Inspire Edition
WHATWG/W3C 動向
- Recommendation
-
Proposed Recommendation
- [wbs] response to 'Call for Review: Proposed W3C Process Document; Proposed W3C Patent Policy'
-
Candidate Recommendation
- Updated Candidate Recommendation: Media Queries Level 4
- Working Draft
-
First Public Working Draft
- Working Group Note: Web App Manifest - Application Information
- Chartering
-
Other
- WEBRTC WG Virtual Interim
- Starting to implement Cache-Status
-
Getting started with a history, skill guide and how-to of web standards. - Web Platform Contribution Guide documentation
- https://wpc.guide/
- https://bocoup.com/blog/introducing-the-web-platform-contribution-guide
- W3C/WHATWG への貢献のしかたガイド
- 5 月の取りこぼし
TC39 動向
- Meeting
- Proposals Diff
-
https://github.com/tc39/proposal-bind-operator
-
0->1
- await operations
- ResizableArrayBuffer and GrowableSharedArrayBuffer
- Import Attributes -> Import Conditions (-> import assertions)
-
1->2
- Intl.NumberFormat v3
- .item
- Record & Tuple
- JSON.parse source text access
- JSON Modules
-
2->3
- Intl.Segmenter
-
3->4
- Promise.any and AggregateError
- Intl.ListFormat
- Intl.DataTimeFormat dataStyle & timeStyle
- Logical Assignment
- Numeric Separators
-
0->1
- New Proposals
- Other
IETF 動向
-
IETF108
- materials
-
httpwg
- https://github.com/httpwg/wg-materials/
- no meeting
- quicwg
- webtrans
- tlswg
- wpack
- privacypass
- dispatch
- secdispatch
- RFC
- IETF Last Call
- WG Last Call
- Call for Adoption
- I-D Action
-
Draft
- Automatic Certificate Management Environment (ACME) Onion v3 Identifier Validation Extension
- Attribution Option for Extension Header Insertion
- Enabling application policy-awareness in Multipath QUIC
-
Greasing HTTP
- https://tools.ietf.org/html/draft-nottingham-http-grease-00
- Grease を HTTP でするガイドラインと、 Header/Cache Directive での GREASE 方法の定義
- A Proposed Model for RFC Editing and Publication
-
Using TLS Application-Layer Protocol Settings (ALPS) in HTTP
- https://tools.ietf.org/html/draft-vvv-httpbis-alps-00
- TLS ハンドシェイク後にアプリレイヤレベルのネゴシエーションパラメータを送ることがある
- それを TLS の拡張で一緒に送ってしまうという提案
- Identity Module for TLS Version 1.3
- JOSE Authentication
- Packed CBOR
-
Client Hint Reliability
- https://tools.ietf.org/html/draft-davidben-http-client-hint-reliability-00
- CH の追加には 1RTT 必要
- CH を付けて再試行させる Critical-CH
- Req/Res とは別にリクエストする ACCEPT_CH フレーム
- Bootstrapped TLS Authentication
- HTTP Alternative Services That Do Not Support Desired Extensions
- IPv6 hosts detection
- Privacy Pass: HTTP API
- CBOR Object Signing and Encryption (COSE): Headers for Carrying CBOR Compressed Certificates
- TCP ACK Rate Request Option
- Author Header Field
- Transport Layer Security (TLS) Resumption across Server Names
- OAuth 2.0 JSON Request
- TLS-based EAP types and TLS 1.3
- Considerations for Cancellation of IETF Remote Meetings
- Impact of TLS 1.3 to Operational Network Security Practices
- Use Cases and Requirements for Web Packages
-
Other
- HTTP/3 logo | daniel.haxx.se
セキュリティ動向
- SSL サーバ証明書の有効期間を短縮するという決定に関する続報 | グローバルサインブログ
-
2020 年第 1 四半期ネットワーク層 DDoS 攻撃の傾向
- https://blog.cloudflare.com/network-layer-ddos-attack-trends-for-q1-2020-jp/
- 外出自粛でトラフィックは多くの国で 50% 以上増加している
- ダウンタイムの損失が通常より増え、そこを狙って DDoS が増えている
- ACK/SYN 攻撃や Mirai (bot net) が多い
- CVE-2020-5902: Helping to protect against the F5 TMUI RCE vulnerability
- ウェブ エコシステムの根本的なセキュリティ保護に向けて
-
China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI
- https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
- https://mailarchive.ietf.org/arch/msg/tls/YzT5LjLJ_6WWhdnU2wVsKNKR6_I/
-
https://www.iyouport.org/%e6%8a%a5%e5%91%8a%ef%bc%9a%e4%b8%ad%e5%9b%bd%e7%9a%84%e9%98%b2%e7%81%ab%e9%95%bf%e5%9f%8e%e5%b7%b2%e7%bb%8f%e5%b0%81%e9%94%81%e5%8a%a0%e5%af%86%e6%9c%8d%e5%8a%a1%e5%99%a8%e5%90%8d%e7%a7%b0%e6%8c%87/
- パケットを落とす
- GFW の双方向
- TCP handshake の完了後
- 全ポート
- 最初のブロック後 120~180 秒間くらい続く
周辺動向
- Chrome もダメ、 Edge もダメ... マイナポイント予約、 PC は「IE11」のみ対応です: J-CAST ニュース
- Why Browser Security UI Isn't Specified - Infrequently Noted
-
Cache-Control in the wild
- https://www.fastly.com/blog/cache-control-wild
- May 2020 のヘッダを収集し Cache-Control の利用実態を調査
- 74% は明示的な C-C ヘッダを付与し、ヒューリスティックキャッシュは使ってない
- 最も利用されてるのは max-age で全体の 80%
- public 40% そのうち 97% が max-age/s-maxage を持ってるので本来不要
- no-cache 18% 大半は no-store と間違えられてそう
- must-revaldate 16% 不要に思える画像や HTML にも多く、一緒に no-store が併用されていたりして、きちんと理解されて無さそう
- 他にもスペルミスや不正な値などの調査も
- State at the edge
- Network-layer DDoS attack trends for Q2 2020
- Introducing Cloudflare Network Interconnect
- Cloudflare Network Interconnection Partnerships Launch
- Mitigating Spectre and Other Security Threats: The Cloudflare Workers Security Model
- The Edge Computing Opportunity: It's Not What You Think
- Cloudflare outage on July 17, 2020
- Cloudflare Network expands to more than 100 Countries
- flowtrackd: DDoS Protection with Unidirectional TCP Flow Tracking
- Mitigating a 754 Million PPS DDoS Attack Automatically
- Introducing Rome
イベント
-
7 月
- 30-2: web.dev LIVE
- 27-31: IETF 108 Online
- 8 月
-
9 月
- 7-11: SecWeb
- 9-10: Chromium Platform Security Summit
-
10 月
- 26-30: TPAC/2020 - W3C Wiki
-
11 月
- 14-20: IETF 109 Bangkok
- 17-19: BlinkOn
Wrap Up
- web.dev live の wrapup
- referrer policy default to strict-origin-when-cross-origin
- SameSite Cookie Lax by default rollout again
- Firefox ETP redirect tracking protection (cookie purging)
- declarative shadow dom OT
- Content Visiblity
- Document Policy Ship
- BFCache Android & opt-out JS API
- Cache-Control in the wild
- HTTPS 証明書の有効期限短縮
- Safari JSC の長文ブログ
- Chaina の TLS1.3 + ESNI の GFW でのブロック
- IETF 108 remote
- HTTP GREASE
- ALPS
- Client Hints Reliability
- Import Assertions Rename
- Record + Tuple
- await opration
- Rome Introduction