search

WICG / first-party-sets

https://wicg.github.io/first-party-sets/
293 stars 75 forks source link

What should I do if an enterprise has more than 5 different domain names that all use the same domain name security service? #179

Open Yekongs opened 1 year ago

Yekongs commented 1 year ago

For example, an enterprise has multiple domain names such as A.com, B.com, C.com, D.com, E.com, F.com,. The number of them exceeds 3, but they all use one within the enterprise, such as Z. .com to provide some security services. According to the rules, more than 3 Associates calling requestStorageAccess and requestStorageAccessFor will be automatically rejected. How to solve this problem?

cfredric commented 1 year ago

The number of them exceeds 3

I assume you know this based on the issue title, but Chrome's limit on the associated subset size is no longer 3, it is now 5. However, you listed 6 sites (plus a service site), so let me address your concern below:

  1. If your scenario really involves only 6 sites that all rely on the same service site, then this fits within Chrome's limits for RWS: 1 site can be the primary site, and the other 5 can be in the associated subset. All of them can call document.requestStorageAccessFor on behalf of the service site.
    • Alternatively, the service site can call document.requestStorageAccess when embedded in one of those sites, and the request will be automatically granted.
  2. If your scenario actually involves more than 6 sites (so the 5 associated sites + 1 primary site won't be enough), then you will have to choose which 6 of those sites should have the auto-granting behavior. The remaining sites can still be in the set (as service sites). Those service sites will be treated the same as any other site on the web - they can call document.requestStorageAccess and potentially prompt the user to ask for permission to use their unpartitioned cookies.

There's one other possibility, based on what you wrote:

an enterprise has multiple domain names such as A.com, B.com, C.com, D.com, E.com, F.com,. The number of them exceeds 3, but they all use one within the enterprise,

You've mentioned an enterprise. If you are talking about a company and its employees, and that company uses managed Chrome instances, then the company's enterprise admin can deploy the FirstPartySetsOverrides enterprise policy with a custom set or list of sets. The sets in an enterprise policy are not limited; they can use as many associated sites as they want.