Storage Access API Standardization

[johannhof]

I'm filing this issue as a continuation of #3338. There was a lot of conceptual discussion in that issue we've moved on from, and I want to discuss concrete steps to merge https://github.com/privacycg/storage-access into HTML here.

There are still a few remaining issues that the SAA editors would like to see resolved before making a PR: https://github.com/privacycg/storage-access/issues?q=is%3Aissue+is%3Aopen+label%3A%22resolve+before+graduation%22

But overall we're close enough that tracking this effort here makes sense, IMO.

[annevk]

The initial step towards this involves these Fetch and HTML PRs:

• Integrate with new draft cookie spec (draft-annevk-johannhof-httpbis-cookies/00+ε) fetch#1807
• Add "has storage access" boolean to environment #10990
• Add cross-site ancestor flag to environment. #11133
• Pass a top-level navigation initiator origin to Fetch #10991

@bvandersloot-mozilla I have now taken a look at all of these, pushed some fixes, and they look good from my perspective, but OP still needs to be updated in most to reflect multi-implementer interest and the testing situation. Could you take care of that?

And as #10990 (comment) reminded me there might also be need for a Storage Access API PR to account for some logic no longer having to be maintained there?

@domenic would you be willing to also review the HTML PRs as they impact navigation to some extent?

[johannhof]

And as #10990 (comment) reminded me there might also be need for a Storage Access API PR to account for some logic no longer having to be maintained there?

Yes, I believe that's the case. We're still missing all of the API surface. @bvandersloot-mozilla are you interested in upstreaming SAA? Otherwise I can see if someone on my team has cycles (cc @cfredric)

[annevk]

I think for now we need a PR that removes everything from SAA that's now being taken care of by these four PRs. Then subsequently we can have an upstream PR for SAA against HTML that's hopefully mostly moving text across.

[johannhof]

Ah, I misunderstood your comment, but I agree, we can do it in that order.

[bvandersloot-mozilla]

I updated the comment to reflect interest from 3 engines, and point to https://wpt.fyi/results/cookies/samesite for tests. @annevk: do you think we should improve coverage over what is in that folder? Given the amount of failures in that folder I don't know if we should rely upon it to be actually testing what we want/have written

[bvandersloot-mozilla]

Filed privacycg/storage-access#217 which should be merged along side the others to prevent Storage Access API build bustage

[bvandersloot-mozilla]

We've noticed that whatwg/fetch#1807 no longer uses the work in #10990. We'll still need it eventually for Storage Access API upstreaming, but it doesn't need to happen at the same time as the others (and the same is then true of privacycg/storage-access#217).