mreic...@chromium.org, kaust...@chromium.org, joha...@chromium.org
https://github.com/mreichhoff/requestStorageAccessForSite
We do not have a draft specification yet, but we hope to further incubate and develop the API, and specify it as an extension of the existing Storage Access API.
Not yet filed.
Blink>StorageAccessAPI
This intent proposes an extension to the Storage Access API (which was previously implemented in Chromium by the Microsoft Edge team). The extension allows a top-level site to request access to unpartitioned ("first-party") cookies on behalf of embedded sites. We intend for sites to utilize this API as one of the replacements for third-party cookies, which are being phased out in Chrome. This extension of the Storage Access API inverts the direction of the `requestStorageAccess` request, which is called by the embedded site once it receives a user interaction. Browsers will have discretion to grant or deny access. See the explainer for much more information, including about the elevated trust requirement.
Multiple browsers supporting the Storage Access API have implemented an internal API similar to requestStorageAccessForSite, indicating it is useful for websites that depend on authenticated/personalized content served from cross-site origins. We intend it to aid in unblocking certain cross-site, same-First-Party Set use cases previously addressed by the now-archived SameParty cookie attribute.
Interoperability and Compatibility
The new API is in the process of being specified. Because it is additive, it does not present a significant risk to existing code (with the only risk being sites that would have added an identically named method to the document object).
Feedback is currently being sought; these are TODOs but need not block prototyping.
Firefox: TODO
Edge: TODO
Safari: TODO
Web developers: TODO
Ergonomics
See the key scenarios and design discussions on the explainer. Note that some details, like origin vs site scoping, are still being determined.
Security
Please see the security and privacy considerations section of the explainer. There are some details, like potential CORS requirements, that are still being considered.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes, all blink platforms are in scope.
Is this feature fully tested by web-platform-tests?
web-platform-test coverage will be added as part of this effort, once the spec is sufficiently defined.
Feature flag (until launch)
--enable-features=StorageAccessAPI-rsaFor
(note that the larger StorageAccessAPI is behind the flag: StorageAccessAPI; the new flag name is subject to change)
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5122534152863744--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c08d433c-3744-4518-b65b-a19e4f67ed1dn%40chromium.org.