-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
requestStorageAccessFor #125
Comments
For context, prior discussion about this API took place in privacycg/storage-access#107. It sounds like it has had a few changes. However, I think my fundamental concern still stands. Assume a top-level A that may or may not fetch a CORS script from B after a successful ( |
Thanks Anne! I understand the reputation concern. While it also seems like something that a prompt should be able to explain (top-level.com wants to access your identity on other-site.com), I think it's important to acknowledge that this is easier to solve for when you have a gating mechanism like FPS. It still seems like an important extension to the SAA given the recent (necessary) per-frame changes, so we'd love to explore ways to make this work for everyone. I was wondering: Is there any concern to WebKit with using FPS not as a deciding factor but just as a "filter" for who gets to prompt as part of this API? @johnwilander previously mentioned in conversations that this would be worth considering. I know you weren't fully satisfied with the latest version of FPS, but it's not clear to what extent this applies to the idea of gating prompts on it. Alternatively, FPS requires developers to leave .well-known/ artifacts on participating sites that could be checked at runtime, without needing to consume a list. |
Request for position on an emerging web specification
Information about the specification
Design reviews and vendor positions
Anything else we need to know
The proposed
requestStorageAccessFor
API builds on the Storage Access API to allow non-iframe use. This affords more control for the top-level site as cross-site cookies continue to be phased out; it also allows partial restoration of the page-level behavior ofrequestStorageAccess
, which will be retired in favor of a per-frame model. LikerequestStorageAccess
, implementation-defined behavior allows different user agents flexibility to apply policies as they see fit, though the hope is that divergence will be minimized.Note that this proposal is similar to an internal shim API implemented by both Safari and Firefox.
Prior discussions have surfaced the need for embeddee opt-in, which the API attempts to ensure via requiring invocation of
requestStorageAccess
for frame-level access (the same way a priorrequestStorageAccess
grant is proposed to waive the user interaction requirement in the per-framerequestStorageAccess
model); requiring CORS on subresource requests to the embeddee from the top-level site in order for cookies to be included; and applying only to explicitlySameSite=None
cookies.The text was updated successfully, but these errors were encountered: