-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Third Party cookies access in iframe #409
Comments
Hi @jaissam10, I'm not sure I fully understand your scenario, but the general solution when partitioned cookies/storage are not an option is to use unpartitioned storage, e.g. unpartitioned cookies. Your React app can use the Storage Access API to request access to that data. |
@cfredric Thanks for reaching out! We’re unable to use the Document.requestStorageAccess() method because it prompts the user with a popup to allow or deny access. Since our URLs are dynamic for each PDF, this would trigger a popup every time, which isn’t a practical solution. To explain further: If I open a PDF, like https://pdfobject.com/pdf/sample.pdf, the top-level site (PDF URL) is dynamic. We then insert our iframe (web_accessible_resource), i.e., (chrome-extension://id/viewer.html). Inside this, we load a nested iframe URL of CDN. So, there will be two nested iframes—one for |
If I understand correctly, your CDN ( However, there may still be options for you, since your app isn't just a CDN, it's also an extension. You can therefore use all of the extension APIs (e.g. chrome.cookies) to access the browser's cookies (provided you've requested the appropriate host permissions), and use message passing to send that info from your extension to the CDN iframe. Your CDN can then do whatever it needs to with those cookies, including setting partitioned cookies. That approach is a bit more cumbersome than accessing the CDN's unpartitioned cookies directly, but as I said above, the unpartitioned cookies are intentionally inaccessible to the CDN unless the user grants permission, via the |
@cfredric Thanks for taking the time to check and follow up on this. You're correct that our CDN ( Thanks, I believe the cookies issue can be resolved using However, could you help with addressing the service worker issue? Our CDN relies on a service worker that uses both cache and IndexedDB, which are currently partitioned. Do you have any suggestions on how we might solve this? |
I'm not an expert on extensions, but are the options presented here viable for you? https://developer.chrome.com/docs/extensions/develop/concepts/service-workers/lifecycle#persist-data |
@cfredric I don’t think this approach will be effective, especially regarding service workers (which rely on caching via CacheStorage and IndexedDB). I’m currently using the CacheStorage APIs, but since they are now partitioned, I’m looking for a way to move this functionality to the extension or web-accessible resources to ensure unpartitioned access. Can you assist with this, or suggest an alternative solution? |
If I understand correctly, your
Note that requesting host permissions also comes with a prompt with warnings that users have to accept/deny when your extension is installed/updated. Host permissions are very powerful (as you can see), so this prompt is also working as intended IMO. With that in mind, I would consider whether your extension actually needs unpartitioned storage, or whether it can work using partitioned storage instead. Then you could avoid prompting users and avoid needing the powerful permissions. |
@cfredric My |
Intercepting network requests from other origins sounds like a job for chrome.declarativeNetRequest or chrome.webRequest. |
@cfredric A service worker has a fetch event listener ( This behavior is not achievable with Declarative Net Request (DNR), as DNR operates more at the network level for intercepting, blocking, or modifying requests, but lacks the same flexibility for managing and serving cached responses dynamically. Let me know if I am wrong somewhere. |
@cfredric @krgovind @samdutton @ilipkind Could any of you assist with this? I would greatly appreciate your feedback. |
If I understand correctly, you're asking how to use an unpartitioned service worker to intercept network requests for some origin ( Web platformWeb Platform APIs (on their own) definitely do not provide the ability to intercept another origin's network requests, since doing so would violate the Same Origin Policy. So any solution that bypasses the SOP would necessarily be in the extension APIs. With that framing, we can consider alternatives that don't violate the SOP; i.e., things that your CDN can do on its own origin. The ideal answer would be to let the CDN access an unpartitioned service worker via the Storage Access API, but unpartitioned service workers are intentionally inaccessible in third-party contexts, due to security concerns. So this functionality is intentionally not possible via Web Platform APIs. ExtensionsI'm not aware of a way to do this via extension APIs. You can consider filing a feature request for this. |
@cfredric I have raised the issue here: w3c/webextensions#708. I also discovered that the HTTP cache is partitioned, resulting in actual network requests for multiple XHR calls from our CDN (which we want to cache) each time a new PDF is opened on a different domain, instead of returning from the HTTP cache (disk/memory). Could you suggest a way to make the HTTP cache unpartitioned or provide any workaround to resolve this issue? Note: I observed something strange—some requests for the second PDF are being served from the memory cache. I'm not sure why that's happening. |
I'm not aware that there is a workaround. This is a feature that shipped in all major browsers years ago, to improve security and privacy. I'd consider it a bug in Chrome if it were possible to bypass it on the web at large. Chrome's proposal had some discussion on performance and those engineers found the impact to be largely negligible. |
We have an extension that, when a PDF URL is loaded, inserts an iframe containing our web-accessible resource (an extension HTML page). This page then creates another iframe that loads our React application hosted on a domain, such as
https://abc.com/index.html
.When a user opens a PDF URL, like
https://pdfobject.com/pdf/sample.pdf
, two iframes are embedded in the page—the first being our extension page and the second being our React application. These two iframes communicate with each other viapostMessage
.The login process in our React application relies on cookies that are set on a different domain (e.g.,
subdomain.abc.com
). However, these cookies are not being included in the network API call for sign-in when third-party cookies are disabled by the user or when the browser enforces third-party cookie restrictions.Given that PDF URLs are dynamic, partitioned cookies (which are tied to the top-level site) aren't a viable solution.
How can we resolve this issue?
CC: @krgovind @samdutton
The text was updated successfully, but these errors were encountered: