Use case for Storage Access API providing access to unpartitioned 1st party cookie #10
Comments
|
Thanks! In our DM chat you also mentioned needing access to read 1st party localstorage. Is that still the case, or is reading a cookie adequate for your use case? |
|
That depends on how exactly we would implement authenticating the Fetch/XHR requests. It can be a cookie that the browser attaches automatically, or some OAuth token stored in local storage and attached by JS as |
|
Just as an update here, we are actively thinking about this use case but don't have anything we can publish publicly yet. |
|
Time for another yearly update: Chrome has now announced plans to implement the Storage Access API, and I wrote up details of how Chrome's implementation will work here. Please take a look, and let us know if that will address your use case in Chrome. (My understanding from your description is that it will address your need, but just want to double-check.) |
|
Thanks @cfredric for the update 👍 I can confirm that Chrome's planned implementation will work for us. The user, an owner/admin of a WordPress.com-hosted site, will be routinely interacting with |
|
Hi @jsnajdr - I want to clarify that the user's activity on |
|
Thanks for the clarification, I misread the document the first time. That behavior is also fine for us, we intend to show embedded UIs to the users and expect them to interact with the UIs. In our view, top-level activity would be a stronger condition for renewal. |
|
Thanks @jsnajdr - could you please elaborate on why "top-level activity would be a stronger condition for renewal" from your perspective? Chrome is interested in maintaining positive user experiences, so we're interested in hearing other perspectives on different potential signals. |
By "stronger" I didn't mean "better", but rather "less likely to be satisfied". If the user opens the popup that embeds Notifications UI from |
|
What is the expected behavior when Partitioned cookies are present in the cookie jar, and Storage Access is granted? The current proposal describes the general behavior as:
But it's not obvious that this is what web sites expect, and this raises questions about cookies that conflict. Is the current thinking about this behavior already described somewhere that I missed? |
Then the document has access to both cookie jars, the partitioned and unpartitioned one. If each jar contains a cookie with the same name, both cookies will be sent with requests, both will be visible in This "conflict" behavior is not new, you can already have cookies with same name but different |
|
Yeah this is an established behavior for cookies and mostly shakes out of the way that the Retrieval Algorithm works. That there can be multiple cookies with the same name but otherwise different attributes is more explicitly acknowledged in the Storage Model which is also referenced in the CHIPS spec. |
In a DM convo about the fact that the Chrome storage partitioning doesn't currently plan to implement the Storage Access API, @wanderview encouraged me to share some use cases where our product (WordPress.com website hosting) is using unpartitioned third party cookies to deliver valuable user experience and features. And where the Storage Access API, as implemented by Safari and Firefox, lets us continue to deliver that experience with just one extra confirmation prompt.
On the
wordpress.comdomain, there runs a web app that lets the user create and manage one or more websites running WordPress. The actual website runs on a custom domain, e.g.,example.com. The user is logged intowordpress.comand has first party session cookies for that domain.Now, when the user navigates to the
example.comsite, the site wants to detect that its admin is visiting. And display an "Adminbar" on the top, and an expandable Notifications panel:This Notifications panel is an iframe loaded from
wordpress.comdomain, makes Fetch/XHR requests to thewordpress.comdomain, and is authenticated withwordpress.comcookies. Which are third-party in this context.This feature stops working completely when third-party cookies are blocked or partitioned. The iframe embedded in the
example.compage doesn't know the user is logged intowordpress.comand has no way of knowing that. And it's the right thing that it doesn't have that knowledge because otherwisewordpress.comwould have a tracking capability.Note that the
example.comorigin is an untrusted environment. It can run arbitrary third-party code via downloaded plugins. Therefore we must protect the user’s cookie/token and private communications withwordpress.com, which may include actions and notifications from all of their sites, fromexample.comcode running in the browser or the server back-end.That's why the Notifications panel cannot be implemented as running on the
example.comorigin and accessing only REST endpoints running onexample.com. The cross-origin iframe is providing a "trusted execution environment" inside an untrusted page.Solving this with Storage Access API
If the Storage Access API is available, we can solve this issue quite easily: after opening the Notifications panel, first show an info box that the feature requires first-party access to
wordpress.comcookies. After the user approves the access, we can proceed to load the notifications and show the Notifications UI.The access we need is read-only: we only ever need to read the first-party unpartitioned cookie. We don't need any write access there. And the cookie doesn't need to be readable by scripts: it can be
HttpOnly. But the cookies needs to beSameSite=None-- that's the only requirement where the cookie is not "strict" in any sense.Another fact worth pointing out is that the user has already visited
wordpress.comas a first party, logged in there, and visits the site on a regular basis. The Safari and Firefox implementations use this as a heuristic to decide whether to show the user a prompt onrequestStorageAccessat all, or to reject the request right away.The text was updated successfully, but these errors were encountered: