(note that we recently updated the name to remove “origin”, but not yet the repository name)
An extension to the Storage Access API that allows a top-level site to request access to unpartitioned ("first-party") cookies on behalf of embedded sites. Browsers will have discretion to grant or deny access, with mechanisms like First-Party Set membership as a potential signal. This allows for use of the Storage Access API by top-level sites.
For now, we intend to ship requestStorageAccessFor without user-facing prompts, instead relying on information from First-Party Sets to determine which sites should be granted storage access.
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/736)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/125)
This has been discussed with other browser vendors outside of the standards-positions repositories. These browsers ship this functionality as a version that is only accessible to internal code (as an anti-cross-site-cookie-breakage measure), but haven’t exposed it to developers, primarily out of prompt relevance concerns. There have been mixed reactions to our proposal, with the primary feedback being on reputation concerns with potential prompts, and a desire to maintain the security benefits from cross-site cookie blocking to an even larger extent. We intend to work on these concerns in collaboration with other browsers (if possible).
Edge: No public signal. However, we’ve discussed this with Edge and they are supportive of this additional API surface and will work on enabling it (i.e. providing the prompts or FPS mechanisms to gate it) on Edge as well.
Like requestStorageAccess, this API requires additional work from the developer compared to the old state of "passive" cross-site cookie access. This is an inherent, intentional property of the design.
For security reasons, this feature requires developers to use either CORS headers (for non-iframe subresources) or requestStorageAccess in iframes to be able to access cross-site cookies after a requestStorageAccessFor call.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No. This will be supported on Windows, Mac, Linux, Chrome OS, and Android, but will not initially be supported on Android WebView.
Yes, https://wpt.fyi/results/top-level-storage-access-api. Note that while tests are passing locally in Chrome, they’re not yet showing up on wpt.fyi because the feature wasn’t included in the experimental web platform features flag.
True, as we’re adding a new permission and integrating with FPS. As mentioned in the FPS I2S, Chromium-based browsers should be able to consume the list through component updater.
Shipping in M113.
Some details of this API are still being discussed in the Privacy CG and there may be backwards-incompatible changes in the future. As mentioned above, the primary feedback has been on reputation concerns with potential prompts, and a desire to maintain the security benefits from cross-site cookie blocking to an even larger extent.
We are confident in shipping the API in its current state to better understand and iterate on real-world developer needs, and accept the responsibility of supporting potential future breaking API changes. Since use of the API in Chrome is currently restricted to First-Party Sets, we think it allows us to leverage targeted developer outreach to minimize compatibility impact.
This intent message was generated by Chrome Platform Status.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4g87zWDtnn00w1%2BVD%2BYwr9oP0TjOfemX97VrBe96kby3A%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4gsMixxu7f6pGGtEQ-8cUcYw35fJMZqN%3DmphF2MdkSAkg%40mail.gmail.com.