Publish minutes of 2023-11-23 meeting

Rob--W · Rob--W · commit 91a50a9ea214 · 2023-11-23T19:22:13.000+01:00
diff --git a/_minutes/2023-11-23-wecg.md b/_minutes/2023-11-23-wecg.md
@@ -0,0 +1,129 @@
+# WECG Meetings 2023, Public Notes, Nov 23
+
+ * Chair: Simeon Vincent
+ * Scribes: Rob Wu
+
+Time: 8 AM PST = https://everytimezone.com/?t=655e9600,3c0
+Call-in details: [WebExtensions CG, 23rd November 2023](https://www.w3.org/events/meetings/1cc4723f-c539-4c9b-94d2-912bcc2598c9/20231123T080000/)
+Zoom issues? Ping @zombie (Tomislav Jovanovic) in [chat](https://github.com/w3c/webextensions/blob/main/CONTRIBUTING.md#joining-chat)
+
+
+## Agenda: [agenda discussion in #488](https://github.com/w3c/webextensions/issues/488), [github issues](https://github.com/w3c/webextensions/issues)
+
+The meeting will start at 3 minutes after the hour.
+
+ * **Carry-over from previous meetings**
+   * [Issue 433](https://github.com/w3c/webextensions/issues/433): Alarms API time slipping
+   * [Issue 474](https://github.com/w3c/webextensions/issues/474): Behavior of extension message ports and bfcache
+ * **Other new issues**
+   * [Issue 477](https://github.com/w3c/webextensions/issues/477): Proposal: userScripts.execute() method
+   * [Issue 489](https://github.com/w3c/webextensions/issues/489): Proposal: Re-evaluate userScript and userStyle API
+   * [Issue 490](https://github.com/w3c/webextensions/issues/490): Support Promise as return value from webRequest.onAuthRequired
+   * [Issue 492](https://github.com/w3c/webextensions/issues/492): Issue with chrome.declarativeNetRequest Not Blocking Requests Over Time
+   * [Issue 493](https://github.com/w3c/webextensions/issues/493): Support redirect-only rule in DNR
+ * **Open discussion queue (add yourself at the bottom)**
+   * None
+ * **Check-in on ongoing issues**
+   * [Issue 483](https://github.com/w3c/webextensions/issues/483): Proposal: API to embed pages in WebExtension bypassing CSP
+
+
+## Attendees (sign yourself in)
+
+ 1. Rob Wu (Mozilla)
+ 2. Simeon Vincent (unaffiliated)
+ 3. Tomislav Jovanovic (Mozilla)
+ 4. Oliver Dunk (Google)
+ 5. Carlos Jeurissen (Jeurissen Apps)
+ 6. Dmitriy Seregin (AdGuard)
+ 7. Anton Bershanskyi (unaffiliated)
+
+
+## Meeting notes
+
+Intro
+
+ * [rob] There are only 6 people here right now, probably due to Thanksgiving. Let's only cover topics that do not require input from everyone.
+
+[Issue 433](https://github.com/w3c/webextensions/issues/433): Alarms API time slipping
+
+ * [oliver] It is unclear how the alarms API behaves when the device goes to sleep. At TPAC we decided that consistency with the web would be nice. I have investigated setTimeout, but it is unclear what should happen. In practice, macOS+Linux pause the timer during sleep, on Windows the timer continue.
+ * [simeon] I was surprised that the WHATWG discussion didn't include mention of setInterval.
+ * [oliver] I think that setInterval is basically setTimeout + scheduling a new timer.
+ * [tomislav] Yes, and it's crucial that the intervals are scheduled upfront, so that any “past” scheduled timers are not fired immediately after wakeup.
+ * [oliver] The web is leaning towards pause on sleep. At the same time enough uncertainty to make our own decisions independent of the web platform. I am leaning towards wall clock time. That would also make the API consistent, always using wall clock time instead of only sometimes wall clock.
+ * [simeon] I'm also leaning towards wall clock time. I think the expectation of extensions is associated with the system rather than the page.
+ * [oliver] Firefox folks?
+ * [rob] Does wall clock imply changes to browser behavior? Timothy already mentioned that Safari already uses wall clock time.
+ * [oliver] Chrome sometimes timer-based, but Chrome recalculates when other timers should fire.
+ * [rob] I think we use a timer, but not sure what happens with the timer when slept. Did you already check if the change would better match developer expectations?
+ * [tomislav] how do we verify that?
+ * [rob] I guess we have bugs either way.
+ * [tomislav] Since the web is not 100%, might make sense to be as simple and consistent as possible.
+ * [rob] If we do wall clock time, then we have to always check for expired timers whenever the device wakes up.
+ * [oliver] I would say we fire as soon as the device starts
+ * [rob] Please double check your thoughts/proposal with the Chrome engineering team.
+ * [oliver] For repeating alarms, when the device wakes up we fire once for repeating alarms even if there would be multiple fired in the gap. We would then schedule the next repeated alarm for the future.
+ * [oliver] All developers would need to implement against the device not going to sleep, so I think this most closely matches expected behavior. Only difference is repeated alarms would be collapsed.
+ * [tomislav] This shouldn't be a major change for us.
+ * [rob] Tentative approval for Firefox.
+
+[Issue 474](https://github.com/w3c/webextensions/issues/474): Behavior of extension message ports and bfcache
+
+ * [tomislav] I investigated Firefox's behavior. My confusion was previously caused by a misunderstanding on my part. We have a situation where Ports close more often than Chromium, which we've done from the start: In the 1-to-many scenario (tabs.sendMessage when there are iframes), the Port closes whenever any of the iframes navigate.
+   * [rob] For emphasis: this discussion is not relevant to the specific issue here; but for context: Chrome disconnects only when there is no receiver at any end, or when disconnect() is called explicitly. This behavior is documented in Chrome (many years ago I added that to Chrome's documentation). Firefox currently closes a Port when any of the contexts unload ([Firefox bug 1465514](https://bugzilla.mozilla.org/show_bug.cgi?id=1465514)).
+ * [rob] The ask of this issue is unclear to me. Oliver, can you clarify?
+ * [oliver] We thought the Firefox behavior provided evidence that bfcache ejection was safe. Since that's not the case, we may need to be a little more careful about this approach.
+ * [rob] What were the alternatives you were considering?
+ * [oliver] We weren't considering other alternatives, but we discussed some options: Keep port around, restore it.
+ * [tomislav] The only viable alternative is to disconnect the port if the background tries to communicate with invisible contexts.
+ * [oliver] Other alternative is to drop messages.
+ * [tomislav] Which is worse.
+ * [rob] … but what we do in Firefox.
+ * [oliver] I can update the issue to reflect that it specifically reflects the plan to disconnect ports.
+
+[Issue 477](https://github.com/w3c/webextensions/issues/477): Proposal: userScripts.execute() method
+
+ * [oliver] The capability was already mentioned in the proposal as something to do in the future.
+ * [simeon] My impression of this issue is that it was the kind of capability we were considering for additional phases of userScripts API work.
+ * [rob] Oliver, could you get your opinions from the Chrome eng team on this proposal as a preparation for the next meeting?
+ * [oliver] Will do.
+
+[Issue 489](https://github.com/w3c/webextensions/issues/489): Proposal: Re-evaluate userScript and userStyle API
+
+ * [rob] The proposal is basically to unify userScripts and scripting. It was Chrome's explicit API design request to have different namespaces for these capabilities.
+ * [oliver] Opposed on the Chrome side. Smaller request (including support for css in userScripts) sounds more reasonable.
+ * [rob] Having separate APIs prevents dependencies between the two. If a user script manager wanted to inject styles, with separate APIs there's no way for the user script manager (USM) to declare order of injection.
+ * [rob] Would like to know if there are any USMs would want/need the ability to register CSS stylesheets through the userScripts API. They can already do so through the scripting namespace.
+ * [rob] A potential argument in favor of supporting “css” in userScripts is that scripting and userScripts have different matching characteristics. User scripts want to run when either `@matches` or `@include` match the document URL, but it has been a long-standing bug in the extension API that their equivalent (`matches` and `include_globs`) are only allowed if both match the URL. In the userScripts API, this has been fixed, which may be a reason for USM to prefer one API.
+ * [rob] Need to hear from USMs about the need for “css” support in userScripts before we implement this functionality.
+
+[Issue 490](https://github.com/w3c/webextensions/issues/490): Support Promise as return value from webRequest.onAuthRequired
+
+ * [rob] Safari doesn't support webRequest, so the main question is for Chrome here: are you supportive of accepting Promises as a return value in the webRequest.onAuthRequired event handler? See issue for details.
+ * [oliver] Seems reasonable. We previously expressed support for async runtime.onMessage in [issue 338](https://github.com/w3c/webextensions/issues/338).
+ * [rob] This week I saw activity on Chromium's issue tracker to resolve the remaining work on “Promise support” in extension APIs. Most issues have been addressed, except for devtools APIs and these bugs.
+ * [tomislav] If Chrome has to prioritize either of these bugs, please prioritize the runtime.onMessage one. That is a highly requested feature from extension developers.
+
+[Issue 492](https://github.com/w3c/webextensions/issues/492): Issue with chrome.declarativeNetRequest Not Blocking Requests Over Time
+
+ * [rob] This looks like a Chrome bug, should be moved to crbug. Limited rule lifetime is not part of the DNR API design.
+ * [oliver] Someone has mentioned this issue before at https://groups.google.com/a/chromium.org/g/chromium-extensions/c/kGdHMCq-yTc/m/HwbX0_PLBAAJ
+
+[Issue 493](https://github.com/w3c/webextensions/issues/493): Support redirect-only rule in DNR
+
+ * [rob] Let's get clarification on the request here and discuss this at the next meeting.
+
+[Issue 483](https://github.com/w3c/webextensions/issues/483): Proposal: API to embed pages in WebExtension bypassing CSP
+
+ * [rob] This is on the agenda because we needed followup from Chrome before we could discuss further.
+ * [tomislav] We are blocked on Chrome's opinion,
+ * [oliver] is window.top a significant concern?
+ * [rob] before x-frame-options it was the primary technique for frame busting. Broader request is that extensions want to embed pages that don't want to be embedded. Because there is no extension API that enables extensions to pretend that content is “top-level”, they resort to alternatives such as stripping CSP/XFO. Supporting an API that offers the requested feature also has consequences, such as the origin to associate with permission requests and such. I want to understand if this capability is something Chrome wants to support, before even discussing the shape of the API.
+ * [tomislav] Carlos, do you encounter this issue with window.top?
+ * [carlos] Yes, it's complicated. Workarounds are very hacky. CSP modification is the biggest concern as it's not possible in Chrome MV3.
+ * [simeon] Would it makes sense to automatically include an extension's origin in a page's effective frame-ancestors CSP if the extension has host permissions?
+ * [rob] CSP spec allows exceptions for extensions (and bookmarklets) (https://www.w3.org/TR/CSP3/#extensions). I would like relaxation of security restrictions to be opt-in, and not enabled by default.
+ * [oliver] Do we also want to allow relaxation of CSP for other origins? For example, using a content script to inject example.com on another website.
+ * _unanimous agreement that we should not_
+
+The next meeting will be on [Thursday, December 7th, 8 AM PST (4 PM UTC)](https://everytimezone.com/?t=65710b00,3c0)
diff --git a/_minutes/README.md b/_minutes/README.md
@@ -10,25 +10,23 @@ After the end of each meeting, meeting notes are published here.
 
 ## Upcoming meetings
 
-- 2023-11-23 at 8 AM PST = https://everytimezone.com/?t=655e9600,3c0
 - 2023-12-07 at 8 AM PST = https://everytimezone.com/?t=65710b00,3c0
+- 2024-01-04 at 8 AM PST = https://everytimezone.com/?t=6595f500,3c0
 
 ## Past meetings
 
+* 2023-11-23 ([minutes](2023-11-23-wecg.md))
 * 2023-11-09 ([minutes](2023-11-09-wecg.md))
 * 2023-10-26 ([minutes](2023-10-26-wecg.md))
 * 2023-10-12 ([minutes](2023-10-12-wecg.md))
 * 2023-09-28 ([minutes](2023-09-28-wecg.md))
-* 2023-09-14 ([minutes](2023-09-14-wecg.md))
-* 2023-09-12 at TPAC ([minutes](2023-09-12-wecg-tpac.md))
-* 2023-09-11 at TPAC ([minutes](2023-09-11-wecg-tpac.md))
-* 2023-09-11 until 2023-09-14, extra meetings at TPAC ([minutes](2023-09-11-2023-09-14-tpac-extra.md))
 
 <details>
 <summary><strong>All past meeting notes</strong></summary>
 
 **2023**
 
+* 2023-11-23 ([minutes](2023-11-23-wecg.md))
 * 2023-11-09 ([minutes](2023-11-09-wecg.md))
 * 2023-10-26 ([minutes](2023-10-26-wecg.md))
 * 2023-10-12 ([minutes](2023-10-12-wecg.md))
