Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Details on COI headers change, import desc updates #96

Merged
merged 4 commits into from
Nov 6, 2024

Conversation

hollyschinsky
Copy link
Collaborator

@hollyschinsky hollyschinsky commented Nov 1, 2024

Description

  • Adds details around the change Express is doing to enforce cross-origin isolation headers and the impact it may have to current add-ons and those in-development.
  • Updates the descriptions for importPdf() and importPresentation() to clarify that when used, they will add a new document to the current project.

Motivation and Context

Related blog post draft

NOTE: Once Express makes the associated changes, we'll need to update the docs again with some tweaks and wording. This first pass is to help show the devs how to test their current add-ons as well.


Mobile add-ons

You cannot test this on mobile devices. You should test your add-on on a desktop web browser. Any issues you run into would also appear on mobile devices, and any fixes you apply would also apply to mobile users.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just realized this is a little ambiguious about what kinds of desktop browsers the user should test on -- let's revise to "you should test your add-on on a desktop web browser powered by Chromium."


You should test flows in your add-on that involve the following:

- **Purchase flows:** In particular, if you’re using an iframe to handle the purchase experience, you should also test an international purchase to ensure that any additional verification flows your payment provider requires also work. *Please note that if you handle purchases on a new tab, you should not need to worry about failures.*
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Realizing that the italicized portion could be ambiguous

Note: You're probably not impacted if you handle purchases in a new tab.


## Overview

Adobe Express will soon be enforcing cross-origin isolation on the associated domains (i.e., “new.express.adobe.com”) for Chromium-based browsers (including Chrome, Microsoft Edge, Opera, and others). This *may* impact your add-on due to stricter rules enforced by the browser. You’ll want to ensure that any add-ons you’ve developed or are developing now work in this new environment.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should reframe this to make it future proof. For example, instead of 'Adobe Express will soon be enforcing cross-origin isolation' we can say 'Adobe Express enforces cross-origin isolation'. That way we wont have to update this doc once again.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to the above. Otherwise, can we add a tentative date here to make it clear when the devs should start doing these.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't have a date just yet. It depends on how quickly we're able to test existing add-ons, so it's likely a couple of months away.

I don't want to mislead new developers into expecting that these headers are being sent (since they'll end up assuming their add-on works when it might), so I think we'll have to come back and revisit when the headers start to be enforced.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about it more, we can drop in our current estimate, but indicate we'll update when we know more.

Something like:

We expect the enforcement of cross-origin isolation headers to begin around the end of 2024. We'll update you the moment we have a more certain date.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kerrishotts I added the estimate into an info block but let me know if you think it should be marked as a warning block instead.


![Override downloads folder screenshot](./img/coi-test-4.png)

Depending on your operating system and location of the folder, the developer tools may need to request additional permissions in order to access the folder. If so, the message will again appear near the top of the developer tool window.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[optional suggestion] Depending on your operating system and the folder's location, the developer tools may need to request additional permissions to access it.


![Final header values screenshot](./img/coi-test-13.png)

At this point you can reload Adobe Express and proceed to test your add-on. Be sure to watch the network panel for errors that your add-on might encounter.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Optional Suggestion to make it less wordy]At this point, you can reload Adobe Express and test your add-on.


- **Purchase flows:** In particular, if you’re using an iframe to handle the purchase experience, you should also test an international purchase to ensure that any additional verification flows your payment provider requires also work. *Please note that if you handle purchases on a new tab, you should not need to worry about failures.*
- **Flows that load external domains in iframes:** For example, you may be using an iframe to generate a preview for the user or using an iframe to embed a video player.
- **Flows that display images and other content:** For example, if you’ve built an add-on that allows the user to add stickers and the stickers are served from your domain or another third party, you should verify that the images appear in the add-on’s user interface correctly. (If the content is bundled with your add-on you should already be covered.)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the content is bundled with your add-on,

- **Purchase flows:** In particular, if you’re using an iframe to handle the purchase experience, you should also test an international purchase to ensure that any additional verification flows your payment provider requires also work. *Please note that if you handle purchases on a new tab, you should not need to worry about failures.*
- **Flows that load external domains in iframes:** For example, you may be using an iframe to generate a preview for the user or using an iframe to embed a video player.
- **Flows that display images and other content:** For example, if you’ve built an add-on that allows the user to add stickers and the stickers are served from your domain or another third party, you should verify that the images appear in the add-on’s user interface correctly. (If the content is bundled with your add-on you should already be covered.)
- **Flows that add content to the user’s document:** Make sure that users can successfully add images or other assets to the document if your add-on provides this functionality. This should only apply to assets loaded from your domain or an external domain. Generated assets or assets bundled with your add-on should not have any issues.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Optional Suggestion to make it less wordy] This should only apply to assets loaded from your or external domains.


## Addressing issues found in your add-on

Applying fixes to your add-on is generally straightforward, but does depend on the issue you’re seeing.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Optional Suggestion to make it less wordy] Applying fixes to your add-on is generally straightforward, but it depends on the issue you’re seeing.

src/pages/guides/develop/coi.md Show resolved Hide resolved
src/pages/guides/develop/coi.md Show resolved Hide resolved

To enable this environment yourself, perform the following steps:

First, launch your browser’s developer tools and navigate to the "Network" tab, and then navigate to [Adobe Express](https://new.express.adobe.com) in the browser. Your network panel should fill up with a lot of network traffic, like this:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have this as step by step?

  1. Open Developer Tools:
    Launch your Chromium-based browser (e.g., Chrome, Edge, Opera).
    Open the developer tools by pressing F12 or Ctrl+Shift+I (Windows/Linux) or Cmd+Option+I (Mac).

  2. Navigate to the Network Tab:
    In the developer tools, click on the Network tab.

And so on...


![Override headers screenshot](./img/coi-test-2.png)

Assuming you haven’t done this before, the developer tools will ask you to pick a folder on your local file system where these overrides are stored. The alert is easy to miss, since it doesn’t present as a dialog box, but rather a message near the top of your developer tool window.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we call this out using an alert block?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we call this out using an alert block?

I tried it but it threw off the whole thing with steps due to the fact that alerts always have to be left-aligned (no indent), but the steps around it create indent so it looked strange. I marked it with IMPORTANT: instead for now.

- Ask if the third party provider can set headers for you via their existing support channels.
- Create a proxy that you control to act as an intermediary. This has security and privacy implications since you need to ensure that the proxy is secure, doesn’t mix up or serve incorrect data, and doesn’t preserve user information for any longer than necessary to complete the transaction.

## Review process impact
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we link the submission guidelines doc here?

Copy link
Collaborator

@nimithajalal nimithajalal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :)

@hollyschinsky hollyschinsky merged commit 2614738 into main Nov 6, 2024
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants