Origin trials

[kmh287]

Partial for #8331.

Allows publishers to enable certain experiments, provided that a page includes a token that describes the experiments that should be enabled. The token is formatted as follows:

A base64 encoding of:

• 1 byte version number, starting at 0
• 4 byte length of experiments config
• The experiments config, as a JSON
• The signature of the experiments JSON

The experiments config will contain the experiments to enable, their expirations, and the origin to enable the experiments for. (To prevent copying of one token from one site to another).

/to @choumx @jridgewell

[kmh287]

@choumx

[kmh287]

Not sure how to set up a key to download. Is the extra request worth the time it would take to perform another request?

[dreamofabear]

I don't think we want to do that since it'll prevent offline functionality. We can patch prod if we really need to kill a feature, though I don't think that will be needed in practice.

[kmh287]

How can this be tested? I'm not sure how to generate a JSON web key nor how to use it to sign some fake data.

[dreamofabear]

Give this site a shot.

[kmh287]

Should this function just run once when the module is loaded?

[dreamofabear]

Should be up to the caller. May need to be run multiple times in the case where there are multiple AMP documents (e.g. shadow AMPs) but we should cache the result.

[kmh287]

When we generate these tokens, we're going to need to either keep track of all experiments for each origin on our end, or request that all experiments be requested at once. Alternatively we can allow multiple meta tags with tokens, but that sounds like it could get slow very quickly.

[dreamofabear]

Ack. Publishers that want to be whitelisted for additional experiments will receive a new token that covers old and new experiments.

[dreamofabear]

Good start! I'll kick off an email thread with the A4A team who owns this code to ask for guidance on usage of this API.

[dreamofabear]

I don't think we want to do that since it'll prevent offline functionality. We can patch prod if we really need to kill a feature, though I don't think that will be needed in practice.

[dreamofabear]

Give this site a shot.

[dreamofabear]

Should be up to the caller. May need to be run multiple times in the case where there are multiple AMP documents (e.g. shadow AMPs) but we should cache the result.

[dreamofabear]

Ack. Publishers that want to be whitelisted for additional experiments will receive a new token that covers old and new experiments.

[dreamofabear]

We shouldn't do this since origin trials have expiry dates. We want the feature to be disabled when the expiry date passes (unless the user has explicitly opted-in).

[kmh287]

Doesn't the check on the previous few lines handle that?

[dreamofabear]

Not really since the publisher could just remove the token.

[kmh287]

Oh, because the experiment toggle is saved in a cookie by default. Then why not just toggle it as a transient experiment?

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored by someone other than the pull request submitter. We need to confirm that they're okay with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of the commit author(s) and merge this pull request when appropriate.

[kmh287]

Will, I've updated the PR with some tests on tokens I generated. I've got a script I threw together that generates the tokens, but there were a few complications

1. The crypto service expects a modified signature format.
2. The crypto service expects the signature to have been generated by signing modified data

I had to account for both when generating the tokens.

[googlebot]

CLAs look good, thanks!

[dreamofabear]

Nice! Is this still [WIP]? If not we can remove and ask for review from one of the A4A guys.

[dreamofabear]

Minor: Early out here to reduce brace nesting below.

[kmh287]

done, though we'll need to revert if another version is added

[dreamofabear]

Readability suggestion: Use separate vars for each magic number, e.g.

let current = 1;
const bytesForConfigSize = 4;

// Parse config size.
const bytesForConfig = bytesToInt(bytes.subarray(current, bytesForConfigSize));
current += bytesForConfigSize;

[kmh287]

done

[dreamofabear]

Describe when/how the promise is rejected.

[kmh287]

done, let me know if you think it's too much detail

[dreamofabear]

This can throw errors on invalid JSON. Is the default error message good enough? If not, we have tryParseJson.

[kmh287]

This should only fail if we generated a bad token, or if the token has been modified. Do you think we should catch the error, add more context, and then reject?

[dreamofabear]

Extra ;

[kmh287]

thanks

[dreamofabear]

Please add a unit test for this method.

[kmh287]

done.

[dreamofabear]

publicJwk and the tokens need to be in beforeEach?

[kmh287]

nah, fixed

[dreamofabear]

describes.js provides env.sandbox.

[kmh287]

done

[dreamofabear]

'amp-expired'

[kmh287]

done, thanks

[dreamofabear]

Extract this to wrap it methods instead? Probably better to not run than appear to pass.

[kmh287]

I think this is how the crypto tests are current setup. (not that that's the best solution here) What do you mean by wrap the it methods?

[dreamofabear]

if (crypto.isCryptoAvailable()) {
  it(...);
}

[kmh287]

crypto isn't setup until the beforeEach runs. Besides, I don't think this is really an issue as the case where crypto is unavailable is already tested.

[dreamofabear]

The crypto service expects a modified signature format.
The crypto service expects the signature to have been generated by signing modified data

Interesting, looks like an optimization. Let's ask A4A -- maybe we can use this too.

[kmh287]

@choumx Thanks for being so thorough. Accepted most of your comments but responded to a few. When you think it's good to send out to other reviewers, let me know who you recommend and I'll remove the WIP tags.

[kmh287]

done, let me know if you think it's too much detail

[kmh287]

done, though we'll need to revert if another version is added

[kmh287]

done

[kmh287]

@choumx Do you think there's a better way to provide the public key for testing besides the optional third param here?

[dreamofabear]

Depends on how the actual public key is stored. OK for now.

[kmh287]

I imagine anyone able to modify the public key (and therefore use tokens they signed themselves) could also just do AMP.toggleExperiment, right?

[kmh287]

This should only fail if we generated a bad token, or if the token has been modified. Do you think we should catch the error, add more context, and then reject?

[kmh287]

done.

[kmh287]

done

[kmh287]

done, thanks

[kmh287]

nah, fixed

[kmh287]

I think this is how the crypto tests are current setup. (not that that's the best solution here) What do you mean by wrap the it methods?

[dreamofabear]

Can you follow-up on that email thread with two questions:

• Why the hash in crypto-impl.js and should we use it?
• Storage recommendation for private keys?

[dreamofabear]

if (crypto.isCryptoAvailable()) {
  it(...);
}

[dreamofabear]

Nit: configSize to be consistent, or change the other var to bytesForConfigLen.

[kmh287]

done

[dreamofabear]

I think this means that a document (e.g. shadow AMP) could enable experiments for the window. We probably should just use win.location as amp-experiments-opt-in does.

[kmh287]

ok

[dreamofabear]

Is there an issue with optional trailing slash?

[kmh287]

I believe Location.origin always returns without a trailing slash. We'll need to make sure we create and sign the tokens that way.

[dreamofabear]

Depends on how the actual public key is stored. OK for now.

[dreamofabear]

I assume this is automatically torn down after each unit test?

[kmh287]

looks like

[dreamofabear]

Now I think of it -- for two origin experiments A and B, we probably want to allow publishers to have the flexibility to choose to enable origin trial A && !B on some pages. Chrome also only has one experiment per token.

[kmh287]

Then we should probably run this at page load. Otherwise we will need to apply this process to every token on the page. We could do it once lazily, but then we could still have a promise that takes a very long time to resolve.

WDYT?

[jridgewell]

These should all be pre-evaluated, that way error reporting can log that each experiment is enabled.

[dreamofabear]

SGTM

[kmh287]

done, PTAL

[dreamofabear]

Since we're just using a transient experiment, we can check this internally. This should avoid parsing a token more than once.

[kmh287]

ok

[jridgewell]

All of this byte array stuff is way more complicated than necessary. Why not just use a comma delimited string?

${VERSION = 0},${BASE_64},${SIGNATURE}

[kmh287]

@choumx thoughts?

[jridgewell]

We can decide on the actual delimiter (commas are used to separate Origin-Trial headers), but anything will do. We have the benefit of not requiring super-high-performance can-never-exhaust-memory strings.

[kmh287]

That may be a way to go, considering that the version number, base64 encoded experiments object, and signature can't contain commas.

[dreamofabear]

I believe including the length of the config prevents length extension attack.

[jridgewell]

In that case, we would need to sign the length, too. I still don't see this as a high priority, though.

[jridgewell]

We need to ensure expiration is in milliseconds, or we need to normalize now into seconds.

[kmh287]

We control the contents of the token, so we can do the former.

[jridgewell]

These should all be pre-evaluated, that way error reporting can log that each experiment is enabled.

[kmh287]

@choumx The hash in crypto-impl is definitely there to bail out of verification early. We don't really have a choice but to include it, unless we want to add similar methods to crypto-impl that don't require it. I'll ask them about recommendations for private key storage.

EDIT: There would be no need to modify cryppto-impl. If we wanted to get around the hash and version number additions to the signature and version number addition to the pre-signed data, we should just use the browser's crypto directly.

[dreamofabear]

I believe including the length of the config prevents length extension attack.

[dreamofabear]

Since approvedOrigin is just from unfiltered, user-submitted form data, I still think we should make this robust enough such that inclusion of optional fragments like www. and trailing slash will still work.

[kmh287]

I agree about trailing slash, but some of that should be handled when we validate the forms.

[dreamofabear]

SGTM

[kmh287]

@choumx @jridgewell PTAL

[dreamofabear]

Did you speak with @taymonbeal about the upcoming crypto-impl.js API changes and key rotation strategy?

[dreamofabear]

We should avoid competing with startup tasks. The non-startup flavor of chunk may be a good fit here.

How long does it take to verify a single token? That should decide the granularity of the chunk.

[kmh287]

Any suggestions on how to get that to work with the async nature of the token parsing? enableExperimentsForOriginTrials needs to be able to return a promise.

I profiled enableExperimentsFromToken and at 10x throttling, Chomr reported about 5ms, though I'm dubious. Does that number sound reasonable to you?

[dreamofabear]

You can create a new Promise, store the resolve function and call it manually when it completes.

At 5ms it might be fine to have the entire thing in a single chunk.

[kmh287]

But how can chunk control when the different parts of the task run if the task has a long promise chain?

[kmh287]

I've put something on our calendars for next week. Taymon took a look over this PR and, I'm assuming, didn't see any glaring issues. Reviewing the PR that changes crypto-impl, I can tel I'll need to tweak the token generation process (and, therefore, the test tokens) but the logic here should be unaffected. Of course, I'll test again after that code is merged to be sure.

[jridgewell]

This needs to be an Error instance, and you can just throw it.

[kmh287]

ok

[jridgewell]

Ditto.

[kmh287]

ok

[jridgewell]

Multiple experiments per token breaks with Chrome's Origin Trials.

[kmh287]

can you link or send me info on that?

[dreamofabear]

https://github.com/jpchase/OriginTrials/blob/gh-pages/explainer.md#trial-tokens

Why I think this is a good idea: #8944 (comment)

[jridgewell]

I don't understand the argument. Any two trials can be turned on independently, accomplishing #8944 (comment).

[jridgewell]

TODO

[kmh287]

This may need to be filled in later once we determine the proper way to store the key pair.

[dreamofabear]

Continuing from: #8944 (comment)

Should be sign(version + length + config, private_key). My mistake on the doc.

[kmh287]

done

[kmh287]

Changed to one experiment per token and updated the signature verification.

[kmh287]

done

[jridgewell]

Nit: We can shorten this a bit by forcing 8 bit ints before shifting:

const val = (bytes[0] & 0xFF) << 24 |
     (bytes[1] & 0xFF) << 16 |
     (bytes[2] & 0xFF) << 8 |
     (bytes[3] & 0xFF);

[kmh287]

done

[kmh287]

@choumx

[dreamofabear]

One change and then let's get this in. Do you have the token generation steps in a shared doc?

[dreamofabear]

Let's comment this out for now pending resolution of the startup latency issue.

[kmh287]

I sent you a js file a few days ago.