OriginTrials icon indicating copy to clipboard operation
OriginTrials copied to clipboard
verified publisher icon GoogleChrome

Origin Trial is not cross UA compatible

Open pyalot opened this issue 9 years ago • 4 comments

If other UAs should decide to use origin trial, they have a problem, because they cannot use the Origin-Trial header/http-equiv, since that is already taken by Google.

I'd suggest changing the OT semantic to allow issuance of many tokens on the Origin-Trial header so that other UAs can join that semantic.

pyalot avatar Dec 12 '16 21:12 pyalot

Why wouldn't other UAs be able to use the Origin-Trial header/http-equiv? Our implementation just ignores any tokens that aren't signed by our keys/that aren't in our format. It's always been our intention to allow other UAs to do the same thing with the same headers.

Of course origin trials themselves will never be cross UA compatible. By their very nature they're experimental APIs. But there is no reason a website can't embed tokens for multiple UAs for similar trials.

mkruisselbrink avatar Dec 12 '16 21:12 mkruisselbrink

Why wouldn't other UAs be able to use the Origin-Trial header/http-equiv?

Because the Origin-Trial header is specified as:

Origin-Trial: token as provided in the email

And not:

Origin-Trial: token-list token-list: token | token-list separator token separator: "," token: provided in the email

I.e. it's not a list.

pyalot avatar Dec 12 '16 21:12 pyalot

That's a bug in the (lack of) spec. I started trying to more formally specify the actual format of any of this, but that work seems to have mostly gotten lost (http://jpchase.github.io/OriginTrials/#header). The intention (and the implementation) is and has always been that the Origin-Trial header is can contain as many comma-separated tokens as you want (and you can equally have as many Origin-Trial headers as you'd like).

mkruisselbrink avatar Dec 12 '16 22:12 mkruisselbrink

The spec is fine, I think -- the term 'email' doesn't appear in it at all, and the header seems to be defined reasonably there. I think the issue here is in developer-guide.md, which we should probably either tag as a Chromium-specific workflow guide, or actually move out of this repo and into Chromium docs.

available-trials.md and ship-as-trial.md probably have the same issue. They're more notes about how we're implementing this in Blink, and less about the origin trial spec itself.

clelland avatar Dec 13 '16 15:12 clelland