Consider moving Storage Access Heuristics spec into web compat spec

[amaliev]

See discussion on #253 for context.

Storage Access Heuristics (explainer) is a feature that detects user signals to provide temporary third-party storage access, scoped to a requester and top-level site. At TPAC, it was proposed that the spec for this feature live in web compat as it's default web observable behavior, intended as a temporary mitigation for breakage after third-party cookies are deprecated.

Spec link: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/spec.bs. Note that there are still outstanding TODOs and formatting nits before it's ready for publication.

Open questions:

1. Is web compat still the best place in standards to host this spec?
2. Firefox, Safari, and Chrome have slightly different implementations (documented in the current spec). We should align on a normative standard before adding to a spec like web compat.

CC @miketaylr

[miketaylr]

Is web compat still the best place in standards to host this spec?

I think it makes sense in the compat spec, yes (the whole point of the spec is to document things that browsers implement for web compatibility, so there can be interop).

Firefox, Safari, and Chrome have slightly different implementations (documented in the current spec). We should align on a normative standard before adding to a spec like web compat.

This would be better than documenting UA-specific implementation details, I think. But first we would need some kind of consensus on what the ideal heuristics are, and support for implementing them.

Looking at https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md#scenarios, it seems like Scenario A will be implemented in Firefox, Safari and Chrome. Adding that to Compat seems fairly straightforward (even if there are some implementation-defined grant durations).

And it may turn out that scenario B is required for compat (which seems likely given that Firefox and Safari both ship this) and Chrome eventually adds support. Given that 2 engines ship this today, adding it to Compat makes sense to me.

Scenario C and C2 will only have single-engine implementations, so maybe we just file a "consider adding scenario C" (bonus points if we give these scenarios better names 😄 ) issue opened until there's more alignment or another engine ships it. It would be interesting to understand the motivation for Firefox adding it, and Safari not feeling the need to.

[annevk]

Colleagues and I discussed this a bit internally and we'd prefer having the allowance for heuristics documented as part of Fetch and HTML as part of them documenting Storage Access. That makes it a bit more obvious this hole exists. We'd also want leeway for user agents to experiment with reducing the size of the hole.