cfre...@chromium.org, joha...@chromium.org, shu...@chromium.org
https://github.com/cfredric/chrome-storage-access-api
https://github.com/privacycg/storage-access/blob/main/README.md
https://privacycg.github.io/storage-access
The Storage Access API provides a means for authenticated cross-site embeds to check whether they have access to their unpartitioned cookies and request access to unpartitioned cookies if they are blocked. Chrome already supports the Storage Access API across sites within the same First-Party Set, in conformance with the specification, and now we intend to prototype support for user permission prompts and user-agent-specific permission behaviors in line with what other browsers are shipping.
Note that Edge previously sent an I2I for the Storage Access API feature, but we felt it was appropriate to send a new I2P given that Chrome previously shipped support for the Storage Access API gated on First-Party Sets membership and did not support prompts.
Chrome currently supports the Storage Access API without a user prompt – access is only granted based on First-Party Sets. However, some user experiences rely on access to unpartitioned cookies in cross-site contexts and are not supported by the existing solution. The Storage Access API with prompts provides a way for sites to request cross-site cookie access to enable these use cases. We aim to implement this in a way that does not overwhelm users with prompts or compromise their privacy.
https://github.com/whatwg/html/issues/3338
https://github.com/w3ctag/design-reviews/issues/807
There is minor compatibility risk as Firefox and Safari already differ slightly in their user-agent-specific prompt requirements. Chrome's planned behavior is closest to Safari's current behavior, and we aim to standardize as much of this user-agent-specific behavior as possible over time.
Gecko: Shipping
WebKit: Shipping
Web developers: Positive
There has been great developer interest in the Storage Access API, given that it provides the only predictable way of working with cross-site cookies in many browsers. Various developers have chimed in on https://github.com/whatwg/html/issues/3338 and filed issues on https://github.com/privacycg/storage-access.
Other signals: Edge has shipped Blink's current implementation of this behavior, which differs from Chrome's plans. We have kept (and intend to continue keeping) Edge engineers in the loop about these changes and there will be feature flags to control this behavior.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
No, because prompt behavior and user-agent-specific behaviors are not testable. The Storage Access API itself is tested at https://wpt.fyi/results/storage-access-api.
StorageAccessAPI, PermissionStorageAccessAPI
True
Desktop 117
Android 119
https://chromestatus.com/feature/5085655327047680
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/e5fu5Q06ntA/m/1KF5oNEXAgAJ
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/V9PzoCvIIIs/m/b4R9G0xoCQAJ
This intent message was generated by Chrome Platform Status.