ep71 Monthly Web 202008
- published_at
- 2020-09-01
- guest
- @myakura
- toc
-
headings
Theme
第 71 回のテーマは 2020 年 8 月の Monthly Web です。
Show Note
Chrome 動向
- Stable: 85
-
Updates
-
New in Chrome 85
- https://developers.google.com/web/updates/2020/08/nic85
- Content Visibility
- @property and CSS variables
- Get installed related apps
- App Icon Shortcuts
- Origin Trial: Streaming requests with fetch()
-
What's New In DevTools (Chrome 86)
- https://developers.google.com/web/updates/2020/08/devtools
- New Media panel
- Capture node screenshots via Elements panel context menu
- Issues tab updates
- Emulate missing local fonts
- Emulate inactive users
- Emulate prefers-reduced-data
- Untitled ASIDE
- Support for new JavaScript features
- Lighthouse 6.2 in the Lighthouse panel
- Deprecation of "other origins" listing in the Service Workers pane
- Show coverage summary for filtered items
- New frame detailed view in Application panel
- Elements and Network panel updates
- Chromium Blog: Helping people spot the spoofs: a URL experiment
-
Chromium Blog: Highlighting great user experiences on the mobile web
- https://blog.chromium.org/2020/08/highlighting-great-user-experiences-on.html
- Fast Page バッチがでるように
- Chromium Blog: Protecting Google Chrome users from insecure forms
-
Chromium Blog: Chrome just got faster with Profile Guided Optimization
- https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
- Profile Guided Optimization が有効になり 10% 程度ページロードが高速化した
- ビルドして一回タスクを動かして情報を集め最適化する
- Google Developers Blog: Guidance to developers affected by our effort to block less secure browsers and applications
- Debugging memory leaks in WebAssembly using Emscripten
-
Unblocking clipboard access
- https://web.dev/async-clipboard/
- Async Clipboard API の実装が進んだので改めて紹介
- テキストを扱う writeText()/readText()
- 画像なども扱える write()/read()
-
パーミッション
- Chrome はアクティブタブのみ
- write はパーミッションのダイアログはない
- read は clipboard-read が必要
- Read and write from a serial port
- ARIA: poison or antidote?
- content-visibility: the new CSS property that boosts your rendering performance
-
New in Chrome 85
-
Intents
-
Ship: WebRTC Insertable Streams
- https://groups.google.com/a/chromium.org/g/blink-dev/c/XFO4OXrdSRA
- Mozilla / Safari は、鍵の交換を JS で行うべきではなく、プラットフォームにそこが統合されるべきで、それまでこの API を推奨する予定はない、もしくはそれまでの移行パスとしてこれを使うべきというスタンス。
- Web / Framework developers のリンクが非常に充実している
- Ship: Document-Policy: force-load-at-top (opt-out for text-fragment)
-
Ship: Imperative Shadow DOM Distribution API
- https://groups.google.com/a/chromium.org/g/blink-dev/c/Jdw3VWbKvLY/
- 1 v0 と比べて v1 は明示的に slot を指定しないといけない
- 2 condition を明示して slot を切り替えることができなかった
- これに対応するため、
attachShadow({ mode: 'open', slotAssignment: 'manual' })することで auto な slotAssign を止め、slot.assign()で命令的にできるように。
- Ship: Intl.Segmenter
- Ship: Native File System
- Ship: Streams API: transferable streams
- Ship: CSS quotes property - support 'auto' value
- Ship: FileReader - Set Result Only on Load
- Ship: CSS flow-relative shorthand and offset properties
-
Prototype: First-party sets
- https://groups.google.com/a/chromium.org/g/blink-dev/c/0EMGi-xbI-8
- Firefox は Harmful だが Safari は Positive らしい
- https://github.com/privacycg/proposals/issues/17
- Prototype: Permissions-Policy header
- Prototype: Raw Sockets API
- Prototype: WebXR Depth API
- Prototype: WebAuthentication API: ResidentKeyRequirement and credProps extension
- Prototype: Add support for CSS properties "overflow: clip" and "overflow-clip-margin"
- Prototype: Progressive Web Apps as URL Handlers
-
Prototype: Customizable
<select>Element -
Implement and Ship: Cookies with SameSite by default
- https://groups.google.com/a/chromium.org/g/blink-dev/c/AknSSyQTGYs/m/SSB1rTEkBgAJ
- Finch だった SameSite のロールアウトが 8/11 に 100% になった
- 3D セキュアなど壊れたサイトも報告されている
- Experiment: Beforematch event and hidden-matchable
- Experiment: Cross-origin opener policy reporting API
- Experiment: battery-savings meta tag
- Experiment: Secure payment confirmation
- Experiment: Cross-Screen Window Placement
-
Experiment: Digital Goods API
- https://groups.google.com/a/chromium.org/g/blink-dev/c/syI9_M9dANY
- アイテム課金などの UI を Payment Request API よりも細かく制御するための API
- Experiment: WebCodecs
- Experiment: Sec-bfcache-experiment HTTP Header
- Continue Experimenting: Serial API
- Extend Origin Trial: WebRTC Insertable Streams Legacy API
- Deprecate and Remove: RTP data channels
- Deprecate: -webkit-font-size-delta
- Deprecate and remove: -webkit-font-size-delta
-
PSA: intent-to-experiment needs a draft spec
- https://groups.google.com/a/chromium.org/g/blink-dev/c/R3cI6ro5Dls
- Experiment するには Draft を用意するようにとのこと
- Explainer だけではだめということ
-
PSA: Chromestatus Guide UX
- https://groups.google.com/a/chromium.org/g/blink-dev/c/D3n0dEcb8Eg
- Chromestatus への Launch Process の UI が改善した
- PSA on Running WPT on Android
- PSA: Installing service workers will throttle network requests.
-
Ship: WebRTC Insertable Streams
- v8
-
Other
- Google Developers Blog: ChromeOS.dev - A blueprint to build world-class apps and games for Chrome OS
- Chromium Blog: Changes to the Chrome App Support Timeline
- Official Google Webmaster Central Blog: Join our first Virtual Webmaster Unconference
- Official Google Webmaster Central Blog: Identify and fix AMP Signed Exchange errors in Search Console
- Q2 2020 Summary from Chrome Security
Firefox 動向
-
Stable: 80
- Firefox 80.0, See All New Features, Updates and Fixes
-
Firefox 80 for developers - Mozilla
- https://developer.mozilla.org/ja/docs/Mozilla/Firefox/Releases/80
- CSS の appearance プロパティの接頭辞が外れた
- export * as namespace
- Firefox 80 Site Compatibility
-
Changing World, Changing Mozilla - The Mozilla Blog
- https://blog.mozilla.org/blog/2020/08/11/changing-world-changing-mozilla/
- Mozilla が大量の Layoff
- MDN, Servo, XR, WASM などのチームから人が大幅に減った
- プロフィールなどを公式が公開
- https://talentdirectory.mozilla.org/
- https://discourse.mozilla.org/t/dear-mozilla-community/65546
-
Updates
- These Weeks in Firefox: Issue 77
-
An Update on MDN Web Docs
- https://hacks.mozilla.org/2020/08/an-update-on-mdn-web-docs/
- MDN は存続するが、 Mozilla Hacks などは休止
- Fast, personalized and private by design on all platforms: introducing a new Firefox for Android experience
- SpiderMonkey Newsletter #6
-
Plans for new ECDSA root and new intermediates from Let's Encrypt
- https://groups.google.com/g/mozilla.dev.security.policy/c/BAK9eFalSd4
- Let's Encrypt の新しい証明書は RSA じゃなく ECDSA
- バイト数省略のため lencr.org というドメインも用意している
- Extensions in Firefox 80
-
Intents
- Ship: selectionchange for input/textarea
- Ship: accept spaces and tabs in unquoted values (of e.g. "filename") used in Content-Disposition parameterized header pairs to to align with other browsers
- Prototype: WebXR Layers
- Prototype: ETP strict mode shims for content-blocked resources
- Unship: Recursive call of Document.execCommand()
-
Other
- A look at password security, Part IV: WebAuthn - The Mozilla Blog
- Update on Mozilla Mixed Reality
Safari 動向
- Stable: 13.1.2
-
Updates
-
Release Notes for Safari Technology Preview 112
- https://webkit.org/blog/11183/release-notes-for-safari-technology-preview-112/
-
Extensions
- Added support for replacing a Safari App Extension with a Safari Web Extension by specifying the SFSafariAppExtensionBundleIdentifiersToReplace key in the NSExtension element in your Safari Web Extension Info.plist file. The value for the key should be an array of strings, each of which is the bundle identifier on a Safari App Extension you want to replace.
-
JavaScript
- Implemented Intl.DisplayNames (r264639)
-
SVG
- Added support for SVG
<a>element's rel and relList attributes (r264789)
- Added support for SVG
-
Media
- Added behaviors for YouTube to offer HDR variants to devices which support HDR (r265167)
- Adopted AVPlayer.videoRangeOverride (r264710)
- Added HDR decode support in software-decoded VP9 (r265073)
-
WebRTC
- Added OfflineAudioContext constructor (r264657)
-
Web API
- Added support for the type attribute to PerformanceObserver (r265001)
-
Text Manipulation
- Changed text manipulation to not extract non-breaking spaces (r264947)
-
Storage
- Changed to allow IndexedDB in third-party frames (r264790)
-
Release Notes for Safari Technology Preview 112
-
Position
- https://lists.webkit.org/pipermail/webkit-dev/ から Position Request についてだけ抜粋
-
Request for position on transferable streams
- https://lists.webkit.org/pipermail/webkit-dev/2020-August/031350.html
- The current proposal seems useful to me.
-
Request for Position on Native File System API
- https://lists.webkit.org/pipermail/webkit-dev/2020-August/031362.html
- Apple's WebKit team does not support this feature due to the security / safety concerns.
-
Request for position on Cookie Store API
- https://lists.webkit.org/pipermail/webkit-dev/2020-August/031365.html
- We're supportive of the idea of having an asynchronous cookie API. However, we would need to review other aspects of this proposal, for example, exposing it to service workers since that could have subtle implications.
-
Request for position on Atomics.waitAsync
- https://lists.webkit.org/pipermail/webkit-dev/2020-August/031367.html
- I think it's a good idea. It seems to be a decent fit for how WK handles this already internally.
- Request for position on Event Timing
- Request for position on a Link header to use Signed HTTP Exchanges to load subresources
- Request for Position on document-access proposal
- Request for position on transferable streams
- Request for position on WebRTC Insertable Streams
- Request for Position on Native File System API
- Request for position on the Origin-Isolation header
- Request for position on Cookie Store API
- Request for position on Atomics.waitAsync
- Other
Edge 動向
- Stable: 85
- Updates
-
Chakra
- Release ChakraCore v1.11.21 · microsoft/ChakraCore
-
Other
-
Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy - Microsoft Tech Community - 1591666
- https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
- Microsoft 365 で Edge Legacy と IE11 のサポート終了予告
- Edge Legacy は 2021 年 3 月に EOL
- Microsoft Teams は 2020 年 11 月 30 日で IE11 のサポートを終了
- 他の Microsoft 365 アプリも 2021 年 8 月 17 日で IE11 のサポートを終了
- Announcing a new way to paste URLs, Link format! - Microsoft Tech Community - 1600094
-
Beating Private Mode Blockers with an Ephemeral Profile – text/plain
- https://textslashplain.com/2020/08/11/beating-private-mode-blockers-with-an-ephemeral-profile/
- Private Browse Blocker なサイトを見るために、専用別アカウントを用意するという話
-
Seamless Single Sign-On – text/plain
- https://textslashplain.com/2020/08/17/seamless-single-sign-on/
- 401 での認証のプロンプトは、セキュリティの都合上 3rd Party の画像に対しては出ないようになっている
- それを利用して、画像を読み込んで成功すればトークンが残ってる、失敗すれば認証フローに行けば良い、という切り分けをプロンプトを出すことなくできる。
- Managing Edge via Policy – text/plain
-
Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy - Microsoft Tech Community - 1591666
WHATWG/W3C 動向
- TPAC
- Recommendation
- Proposed Recommendation
- Candidate Recommendation
-
Working Draft
-
For Wide Review: WCAG 2.2
- https://www.w3.org/blog/news/archives/8659
- WCAG 2.2 の新しい Working Draft が公開
- 新しく 9 つの達成基準が追加
- 9/18 までにコメント募集
- https://www.w3.org/TR/2020/WD-WCAG22-20200811/
-
For Wide Review: WCAG 2.2
- First Public Working Draft
- Chartering
-
Other
-
WebAppsec Meeting Agenda 2020-08-18
- https://github.com/w3c/webappsec/blob/master/meetings/2020/2020-08-18-agenda.md
-
IsLoggedIn
- John Wilander and Melanie Richards will walk us through this PrivacyCG proposal.
-
WebID
- Sam Goto (and friends!) will walk us through this WICG proposal.
-
HTTP State Tokens
- Mike West will update folks on this proposal.
-
WebAppsec Meeting Agenda 2020-08-18
TC39 動向
-
Meeting
- no-meeting
- Proposals Diff
- New Proposals
-
Other
-
Daniel Ehrenberg on Twitter: "Visiting family in beautiful Rochester, NY, but in my downtime, I'm back on my bullshit." / Twitter
- https://twitter.com/littledan/status/1292468777490284544
- littledan が新しい Decorators の proposal を書いているらしい
-
Daniel Ehrenberg on Twitter: "Visiting family in beautiful Rochester, NY, but in my downtime, I'm back on my bullshit." / Twitter
IETF 動向
- RFC
- IETF Last Call
- WG Last Call
- Call for Adoption
- I-D Action
-
Draft
- The Transport Layer Security (TLS) Protocol Version 1.3
- QUIC Disable Encryption
- Usage Limits on AEAD Algorithms
- The CONNECT-UDP HTTP Method
- Hypertext Transfer Protocol Version 2 (HTTP/2)
- Client Hint Reliability
- Supporting Redirection for DNS Queries over HTTPS (DoH)
- A Framework For Decentralized Bearer Token Issuance in HTTP
- Effective Terminology in IETF drafts
-
Other
- mnot's blog: RFC8890: The Internet is for End Users
セキュリティ動向
周辺動向
- Why bigger isn't always better when it comes to TLS key size
- Why "by developers, for developers" matters now more than ever
- Security at Scale: Fastly announces intent to acquire Signal Sciences, the web application and API protection solution
- Announcing wrangler dev - the Edge on localhost
- Cloudflare and Human Rights: Joining the Global Network Initiative (GNI)
- How Argo Tunnel engineering uses Argo Tunnel
- Brave's Concerns with the Client-Hints Proposal | Brave Browser
- WebBundles Harmful to Content Blocking, Security Tools, and the Open Web (Standards Updates #2)
イベント
-
9 月
- 9-10: Chromium Platform Security Summit
- 11: SecWeb
-
10 月
- 26-30: TPAC/2020 - W3C Wiki
-
11 月
- 14-20: IETF 109 Bangkok
- 17-19: BlinkOn
Wrap Up
- Chrome 85 リリース
- Same Site Lax が 100% 壊れたサイトもあり
- Form UI Customizable で
<select>からスタート - Fast Page バッチのブログ
-
Intents
- Intent to Ship: Insertable Stream
- Intent to Ship: Native File System
- Intent to Experiment: Digital Goods API
- Intent to Experiment で Draft が Required に
-
Mozilla Layoff
- 250 人程のレイオフ、 MDN などのチームが縮小
- MS365 の IE11/Legacy Edge サポート終了
- Webkit-dev request for position で Niwa さんの回答が結構ついてた
- mnot's blog: RFC8890: The Internet is for End Users
- http2bis 作業開始