Updates to Shared Storage API in M130: createWorklet and addModule

247 views
Skip to first unread message

Tara Agyemang

unread,
Sep 17, 2024, 10:02:04 AMSep 17
to Shared Storage API announcements

Hey all,


We're introducing changes to the Shared Storage API in M130 to give you more flexibility when working with cross-origin worklet scripts.


What’s changing

We are removing the same-origin restriction for addModule() so you can now load worklet scripts from any origin. Cross-origin worklet scripts enable key use cases such as hosting worklet scripts on CDNs. When the worklet script is cross-origin to the invoking browsing context, the invoking context's origin is used as the data partition origin for accessing shared storage.


To match the new addModule() behaviour, and reduce potential confusion, the dataOrigin property will be added to the createWorklet() call to allow reading and writing to a shared storage data partition that is different from the invoking browsing context. This gives you more granular control over which origin's shared storage is accessed by each worklet, even when using cross-origin worklet scripts.


How it will change

As of M125, a third-party cross-origin script on a page is able to create cross-origin worklets without the need for cross-origin iframes by invoking createWorklet(url). Currently, createWorklet(url) uses the script URL (url) origin as the data partition origin, regardless of the invoking context. 


In M130, to align with the new addModule() behaviour, createWorklet() will also use the invoking context as the default data partition origin. To continue using the script URL origin as the data partition origin, a new property dataOrigin is being introduced to allow you to explicitly set the data partition origin.


The new dataOrigin property accepts "script-origin", which sets the data partition origin as the script’s origin, and "context-origin" which sets the data partition origin as the invoking browsing context’s origin. In a future release we also plan to support custom data partition origins, where a worklet script can access shared storage data from an arbitrary origin on an opt-in basis.


When loading a cross-origin script with data origin set to "script-origin", the request for the script sent from the browser will include a "Sec-Shared-Storage-Data-Origin: <origin>" header. To enable this, the script must also include the "Shared-Storage-Cross-Origin-Worklet-Allowed: ?1" opt-in response header.


How to be ready

For forward-compatibility, if you’re already using createWorklet() with the script origin as the worklet's data partition origin, you can set the dataOrigin as below ahead of the release to ensure compatibility:


```

sharedStorage.createWorklet(scriptUrl, {dataOrigin: "script-origin"});

```

Since createWorklet() allows the creation of a cross-origin data partition and the creation of multiple worklets, we encourage you to transition to createWorklet() over uses of addModule().


We will update the API walkthrough documentation to reflect these changes and provide further guidance on forward compatibility.


If you have any questions or comments, reply to this post or open an issue in the Privacy Sandbox Dev Support repository on GitHub.
Reply all
Reply to author
Forward
0 new messages