Intent to Prototype: requestStorageAccessForSite

175 views
Skip to first unread message

Matt Reichhoff

unread,
Aug 9, 2022, 1:04:20 PM8/9/22
to blink-dev, Kaustubha Govind, Johann Hofmann

Contact emails

mreic...@chromium.org, kaust...@chromium.org, joha...@chromium.org 

Explainer

https://github.com/mreichhoff/requestStorageAccessForSite

Specification

We do not have a draft specification yet, but we hope to further incubate and develop the API, and specify it as an extension of the existing Storage Access API.

TAG review

Not yet filed.

Blink component

Blink>StorageAccessAPI

Summary

This intent proposes an extension to the Storage Access API (which was previously implemented in Chromium by the Microsoft Edge team). The extension allows a top-level site to request access to unpartitioned ("first-party") cookies on behalf of embedded sites. We intend for sites to utilize this API as one of the replacements for third-party cookies, which are being phased out in Chrome. This extension of the Storage Access API inverts the direction of the `requestStorageAccess` request, which is called by the embedded site once it receives a user interaction. Browsers will have discretion to grant or deny access. See the explainer for much more information, including about the elevated trust requirement.

Motivation

Multiple browsers supporting the Storage Access API have implemented an internal API similar to requestStorageAccessForSite, indicating it is useful for websites that depend on authenticated/personalized content served from cross-site origins. We intend it to aid in unblocking certain cross-site, same-First-Party Set use cases previously addressed by the now-archived SameParty cookie attribute.

Risks

Interoperability and Compatibility

The new API is in the process of being specified. Because it is additive, it does not present a significant risk to existing code (with the only risk being sites that would have added an identically named method to the document object).

Feedback is currently being sought; these are TODOs but need not block prototyping.

Firefox: TODO

Edge: TODO

Safari: TODO

Web developers: TODO


Ergonomics

See the key scenarios and design discussions on the explainer. Note that some details, like origin vs site scoping, are still being determined.

Security 

Please see the security and privacy considerations section of the explainer. There are some details, like potential CORS requirements, that are still being considered.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes, all blink platforms are in scope.


Is this feature fully tested by web-platform-tests

web-platform-test coverage will be added as part of this effort, once the spec is sufficiently defined.


Feature flag (until launch)

--enable-features=StorageAccessAPI-rsaFor

(note that the larger StorageAccessAPI is behind the flag: StorageAccessAPI; the new flag name is subject to change)


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5122534152863744

Brandon Maslen

unread,
Aug 16, 2022, 5:14:45 PM8/16/22
to blink-dev, Matt Reichhoff, kaust...@chromium.org, Johann Hofmann
Nice to see further extension of the SAA for specific scenarios the existing API doesn't fully cover. I had a couple of questions about the extension and how it ties into the existing SAA:

What is the intended interaction with declarative SAA as being discussed in  Allow forward-declaration of storage access need · Issue #83 · privacycg/storage-access · GitHub ?

Rather than a separate explainer/repo for discussion, would it be possible to discuss in https://github.com/privacycg/storage-access/  perhaps open an issue to discuss this modification/extension. If there are any specific parts all implementors don't agree on some things could be spec'd in a way to allow implementors to make a decision; we already do that with respect to how/when prompts show up for requested access. It would be great to start there and align early.

Matt Reichhoff

unread,
Aug 17, 2022, 5:33:42 PM8/17/22
to Brandon Maslen, blink-dev, kaust...@chromium.org, Johann Hofmann
Hello Brandon,

We have documented our stance on the relationship of this proposal with the forward declaration model in the explainer, and I agree that it is an open question we should collaborate on.

I also agree about discussing the proposal via an issue on the storage access repo, which I've now filed. Feedback is welcome!

Thanks!

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c08d433c-3744-4518-b65b-a19e4f67ed1dn%40chromium.org.
Reply all
Reply to author
Forward
0 new messages