Intent to Prototype: requestStorageAccessForSite
Matt Reichhoff
Contact emails
mreic...@chromium.org, kaust...@chromium.org, joha...@chromium.org
Explainer
https://github.com/mreichhoff/requestStorageAccessForSite
Specification
We do not have a draft specification yet, but we hope to further incubate and develop the API, and specify it as an extension of the existing Storage Access API.
TAG review
Not yet filed.
Blink component
Blink>StorageAccessAPI
Summary
This intent proposes an extension to the Storage Access API (which was previously implemented in Chromium by the Microsoft Edge team). The extension allows a top-level site to request access to unpartitioned ("first-party") cookies on behalf of embedded sites. We intend for sites to utilize this API as one of the replacements for third-party cookies, which are being phased out in Chrome. This extension of the Storage Access API inverts the direction of the `requestStorageAccess` request, which is called by the embedded site once it receives a user interaction. Browsers will have discretion to grant or deny access. See the explainer for much more information, including about the elevated trust requirement.
Motivation
Multiple browsers supporting the Storage Access API have implemented an internal API similar to requestStorageAccessForSite, indicating it is useful for websites that depend on authenticated/personalized content served from cross-site origins. We intend it to aid in unblocking certain cross-site, same-First-Party Set use cases previously addressed by the now-archived SameParty cookie attribute.
Risks
Interoperability and Compatibility
The new API is in the process of being specified. Because it is additive, it does not present a significant risk to existing code (with the only risk being sites that would have added an identically named method to the document object).
Feedback is currently being sought; these are TODOs but need not block prototyping.
Firefox: TODO
Edge: TODO
Safari: TODO
Web developers: TODO
Ergonomics
See the key scenarios and design discussions on the explainer. Note that some details, like origin vs site scoping, are still being determined.
Security
Please see the security and privacy considerations section of the explainer. There are some details, like potential CORS requirements, that are still being considered.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes, all blink platforms are in scope.
Is this feature fully tested by web-platform-tests?
web-platform-test coverage will be added as part of this effort, once the spec is sufficiently defined.
Feature flag (until launch)
--enable-features=StorageAccessAPI-rsaFor
(note that the larger StorageAccessAPI is behind the flag: StorageAccessAPI; the new flag name is subject to change)
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5122534152863744
Brandon Maslen
What is the intended interaction with declarative SAA as being discussed in Allow forward-declaration of storage access need · Issue #83 · privacycg/storage-access · GitHub ?
Rather than a separate explainer/repo for discussion, would it be possible to discuss in https://github.com/privacycg/storage-access/ perhaps open an issue to discuss this modification/extension. If there are any specific parts all implementors don't agree on some things could be spec'd in a way to allow implementors to make a decision; we already do that with respect to how/when prompts show up for requested access. It would be great to start there and align early.
Matt Reichhoff
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c08d433c-3744-4518-b65b-a19e4f67ed1dn%40chromium.org.