Measure how many pages are using cross-origin XHR with credentials |
||
Issue descriptionTo provide data points to the discussion at https://github.com/whatwg/fetch/issues/251#issuecomment-202304702 about XHR spec, we'd like to gather a metric how many pages are using cross-origin XHR with withCredentials set to true. This UMA item doesn't need to live for long time. Once data is obtained, remove.
,
Apr 13 2016
We can calculate the ratio by comparing the value for the new counter against sum of XMLHttpRequestAsynchronous and XMLHttpRequestSynchronous.
,
Apr 14 2016
@tyoshino, do we have any way of determining, for a given request, whether the withCredentials flag NEEDED to be set? IOW, can we see whether the request ACTUALLY passed any credential-related information and/or whether the response included Access-Control-Allow-Credentials: true? It would be useful (I think) to know whether withCredentials is being set by the client because the developer KNOWS that she will be passing credentials or whether it's just being set because the developer doesn't understand the CORS requirement (or perhaps just copied an existing bit of code). Does that make sense?
,
Apr 15 2016
Yeah. I was also worried about the possibility that people are using some library or c&p code as you said with withCredentials just always set. But in Chrome, actual cookie generation, etc. happens inside net/ stack which is abstracted away from our Blink rendering engine. It would be more work to exchange the initiator information (XHR/Fetch is involved, some credentials were sent). So, let me just start with this method.
,
Apr 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9dab7242edcef547fe54c1ed2c8043f70a456bf6 commit 9dab7242edcef547fe54c1ed2c8043f70a456bf6 Author: tyoshino <tyoshino@chromium.org> Date: Fri Apr 15 10:28:54 2016 Measure how many pages are using cross-origin XHR with withCredentials set to true BUG=602925 R=yhirano,isherman,japhet Review URL: https://codereview.chromium.org/1886663003 Cr-Commit-Position: refs/heads/master@{#387570} [modify] https://crrev.com/9dab7242edcef547fe54c1ed2c8043f70a456bf6/third_party/WebKit/Source/core/frame/UseCounter.h [modify] https://crrev.com/9dab7242edcef547fe54c1ed2c8043f70a456bf6/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp [modify] https://crrev.com/9dab7242edcef547fe54c1ed2c8043f70a456bf6/tools/metrics/histograms/histograms.xml
,
Apr 18 2016
Included from branch 2710. From data for 52.0.2710.0 (canary), XMLHttpRequestCrossOriginWithCredentials / (XMLHttpRequestAsynchronous + XMLHttpRequestSynchronous) = ~30% It's a lot.
,
Apr 18 2016
I would have guessed slightly lower - about 25% - but it's in the ballpark of what I would have guessed. I was (am) involved in some discussions on the WHATWG forums (https://github.com/whatwg/fetch/issues/251), where I said that my gut feeling is that the percentage of credentialed requests is higher than many people assume. This was in relation to the idea of making some of the new CORS features available for credentialed requests, since otherwise they wouldn't get the benefit. Not that this proves anything (as you say, this is only on a canary release, so we can't extrapolate too much)...
,
Feb 20 2018
The WHATWG issue has been closed. For the record, these are the metrics used in the comment 6. https://www.chromestatus.com/metrics/feature/timeline/popularity/1305 https://www.chromestatus.com/metrics/feature/timeline/popularity/677 https://www.chromestatus.com/metrics/feature/timeline/popularity/465 We could remove the histogram item now. |
||
►
Sign in to add a comment |
||
Comment 1 by tyoshino@chromium.org
, Apr 13 2016