search

miketaylr / partitioned-storage-deprecation-trial-feedback

About This repository is for documenting and discussing all matters related to Partitioned Storage Deprecation Trial in Chromium
Apache License 2.0
0 stars 0 forks source link

Understanding the situation for 3P Embedded Iframes #10

Closed Alm0g closed 7 months ago

Alm0g commented 10 months ago

We have a Chrome extension which it's host_permissions as follows: host_permissions: ["https://*/*", "http://*/*"].

The Chrome extension embeds an iframe in any site the user wants to, by clicking the extension icon. So, it can be google.com, amazon.com, etc'.

The iframe's origin is https://testchrome.paradox.ai. We registered the trial with that domain:

image

Token: Ap+UkmI5QS3o9ErWiH6Rr9YOl1t/ndsiFboNREjAtTf5jKnbavVfg/ngf3WghYZ/qyQUhr0unRXy8LsEn2+OqgkAAABzeyJvcmlnaW4iOiJodHRwczovL3Rlc3RjaHJvbWUucGFyYWRveC5haTo0NDMiLCJmZWF0dXJlIjoiRGlzYWJsZVRoaXJkUGFydHlTdG9yYWdlUGFydGl0aW9uaW5nIiwiZXhwaXJ5IjoxNzI1NDA3OTk5fQ==

We set a basic test to check the localStorage API. The extension is open in two tabs, Tab A and Tab B. In Tab A I click a button that adds a key to the localStorage. In Tab B I click a button that reads the value of that key. I expected the value in Tab B to be the same as in Tab A, but it was null instead: Video

Both Storage and Communication APIs seem to be partitioned.

After reading through https://developer.chrome.com/docs/web-platform/third-party-origin-trials, I repeated this test with a 3P token as well, with no luck:

image

AzYJvAo0Dd4mD7g5T7Fgb0pgbPvf1j8Rh77JmNj+QQ6jK5CwzOkclYZ7HpPA3nkS2vbu4PoUxBimns5+w/kApgYAAACHeyJvcmlnaW4iOiJodHRwczovL3Rlc3RjaHJvbWUucGFyYWRveC5haTo0NDMiLCJmZWF0dXJlIjoiRGlzYWJsZVRoaXJkUGFydHlTdG9yYWdlUGFydGl0aW9uaW5nIiwiZXhwaXJ5IjoxNzI1NDA3OTk5LCJpc1RoaXJkUGFydHkiOnRydWV9

If I understand properly, this trial is only for top-level sites (first line):

image

My questions are:

Thanks a ton! Almog

miketaylr commented 10 months ago

Mind taking a look @arichiv?

arichiv commented 10 months ago

The deprecation trial token must be injected in a parent frame to the frame you wish to impact as (1) participation in trials is generally not cached and (2) this specific trial impacts the way a frame is loaded and already-loaded frames cannot enable it part way through the navigation.

It might be possible to use a structure like this:

Top frame (random domain) -> partitioned extension iframe (some domain, A, you own that injects a third-party DT token for B via a script from B and then loads an iframe for B) -> unpartitioned extension iframe (some other domain you own, B, that was the target of the 3P DT token and didn't start loading until after the token was injected via a script from B in the parent iframe for A)

Atul22 commented 8 months ago

Hi @arichiv , I have a similar use-case (with 1 change) and tried your approach. But I couldn't get my storage unpartitioned. Here is what I have:

On google.com (e.g.), I have an extn-iframe.html -> a.com (iframe) -> b.com (iframe, this loads at a later stage on user action). Ref to image below

image

Case 1: I added a 3rd party DT token for b.com from a.com with the help of a script from b.com (I could see a valid token in dev tools). But this didn't make the storage unpartitioned.

Case2: I tried to add a first token for extn-iframe.html and then did everything from Case1. This didn't work as well.

Am I missing something here?

Thanks.

arichiv commented 8 months ago

I believe that should work, is the token injected by a.com by a script from b.com before the iframe for b.com loads?

Atul22 commented 8 months ago

@arichiv Yep, the token is injected on load of a.com by a script from b.com. b.com iframe loads only after a click of a button.

I tried the following to test it further.

Case 1: Load extionsion's trial.html in an iframe on google.com which loads a.com and b.com inside it.

Case2: Open extionsion's trial.html directly in chrome search.

image

Do we need to do something about the trial.html iframe (it is a web accessible resource file of my extension)?

Please note: a.com and b.com are subdomains and I am using a Third party: true, Match subdomains: false token. If this information is of any help.

arichiv commented 8 months ago

It seems like it should work when I read the code. Would it be possible for you to share the extension? I can try to debug it locally. My email is arichiv@chromium.org

Atul22 commented 8 months ago

@arichiv Thanks for helping me out with this! I have shared the code with you over email. Please let me know if you face any issues.

arichiv commented 8 months ago

This is happening because "the DisableThirdPartyStoragePartitioning deprecation trial does support the third-party origin trials feature, but the third-party script injecting the token must be evaluated in the top-level frame before the third-party iframe that won't have partitioning applied is loaded." https://developers.google.com/privacy-sandbox/blog/storage-partitioning-deprecation-trial

I'm looking into a patch for M123 that respects the token if injected at any frame below the one you wish to unpartition.

miketaylr commented 7 months ago

Going to close as resolved here.