Passive Negotiation | Design Architectural Change - Overlay

SmartTokenLabs / token-negotiator

The token-negotiator is an NPM package designed for use with TokenScript.

MIT License

19 stars 11 forks source link

Passive Negotiation | Design Architectural Change - Overlay #114

Closed nicktaras closed 2 years ago

nicktaras commented 2 years ago

Post Message is not permitted on many browsers including; Safari (MAC, IOS), Brave, Chrome (IOS).

As a work around to this problem, the use of Access API, Cookies and Local storage can be used.

See branch; https://github.com/TokenScript/token-negotiator-examples/tree/wip-access-storage

Technical Requirements:

Tokens through Iframe

Apply Access Storage API to allow Safari to read cookies (click button from within the Iframe, e.g. activate Negotiation)
Finding the tokens within the cookie, store them in the top windows local storage (attestations)
Read tokens from client window
Ensure that the active negotiation is not impacted by such design changes.

oleggrib commented 2 years ago

@nicktaras , as you can see in docs - Access Storage API is experimental. Can we develop tools, based on experimental technology? Same time it have limited browser support. Maybe better open additional browser tab instead of iframe? After actions we can auto-close that tab.

nicktaras commented 2 years ago

Thanks for the suggestion @oleggrib.

For the design, I chose to use cross origin cookies as a solution that from initial tests can be read by the origin website.

Because of the nature of our design, opening iframes for example 20 token issuers would not be a good web experience for a user to authenticate access to attestations. I think this would only work if the attestations were centralised e.g. if we had a Smart Token Labs webpage that contains attestations for all tokens.

hboon commented 2 years ago

Not sure if this is still relevant: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/. The highlight is:

7-Day Cap on All Script-Writeable Storage

nicktaras commented 2 years ago

Just adding some notes on this topic. Sorry also for my late reply to your post @hboon.

From a few days of testing the Storage API in the office following the docs. It appeared that the Storage API was restricting some access to Local Storage and Cookies in scenarios where they already existed. However the document doesn't suggest such restrictions + the API has gained recent traction since:

https://chromestatus.com/feature/5612590694662144 (26/11/21)

I'll keep this API in mind to look into again soon - it will improve the user experience (where in the current, pop ups are used etc and no so elegant to see). However the 7 days of script writable storage will impact us in all of the tried and tested options, due to the use of local storage as part of the solution.

Google are working on a new feature called 'Secure Tokens' that appears to solve these issues - where I'll keep my eyes on this feature and its adoption.

nicktaras commented 2 years ago

Closing this, where we are using local storage and either iframe of tab depending on the browser feature support available.