Deprecation Trial Not Working

[Octophi]

Hi Team, I have had some troubles enabling this deprecation trial so I wanted to check if I was doing anything wrong.. I have successfully added my origin-trial meta tag, which looks like tag looks like to my top-level page. The token is the right token for my domain. When I go to the Application tab in Chrome DevTools, I still see the storage being partitioned by top-level site. Any ideas what might be going wrong?

In addition, I also registered my token to work in a third party context and tried to add the JavaScript to add the meta tag to the page so that when it gets iframed it will request to opt in to the deprecation trial. In this case, I also successfully inserted the origin-trial meta tag but I still see the storage getting partitioned.

[miketaylr]

Thanks for the feedback. Let me work on a reduced test case to verify.

[miketaylr]

@Octophi would you mind pasting your test OT token here? (It's just a base64 encoded object - nothing super secret about it). I'm curious if you selected the subdomain matching checkbox.

Also, here's a pretty simple example using sessionStorage, but the particular storage interface shouldn't matter:

https://rogue-lace-join.glitch.me/

See also https://miketaylr.com/misc/3pspdt.js and view-source:https://miketaylr.com/misc/sptest.html to understand the setup.

The basic premise is that you should inject the 3P OT token in the top-level frame's head before creating and injecting any 3P iframes.

[Octophi]

Sure, my token is AysPnqWJeE+bXqBmzsgbertfahuz7WDiHl03RGtRm/e5Kw309x5CWqk0/CQSpn1sRxV9SNxioru5KZNfu3jaFwgAAACOeyJvcmlnaW4iOiJodHRwczovL2ZvcmNlLmNvbTo0NDMiLCJmZWF0dXJlIjoiRGlzYWJsZVRoaXJkUGFydHlTdG9yYWdlUGFydGl0aW9uaW5nIiwiZXhwaXJ5IjoxNzI1NDA3OTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZSwiaXNUaGlyZFBhcnR5Ijp0cnVlfQ==

I can see it inserted into a meta tag on the top-level page but it doesn't seem to be stopping the partitioning from occurring.

[Octophi]

Also just to check, does a token have to work either in a third-party context OR from being injected on the top-level domain, or can it cover both scenarios?

[Octophi]

Also, are there any additional complications if we have an iframe within an iframe within a page?

[miketaylr]

Let me tag in @arichiv on the question of iframes within iframes... can you describe the setup a little bit more?

[Octophi]

I have an endpoint which I control, which iframes in another endpoint which I control, which I then use to iframe in a third-party endpoint which I do not control. I want to disable storage partitioning and have been trying to do so by adding the meta tag to the HTML for the top-level site. However, it doesn't appear to be working at the moment.

[miketaylr]

OK, so you have a.com which frames b.com which frames c.com and you want unpartitioned storage for c.com, correct?

[Octophi]

Yup, exactly. I control a.com and b.com but not c.com

[arichiv]

Can you describe the specific origins that are embedding each other? What level is https://force.com:443?

[arichiv]

I ask because your token is for https://force.com:443 and is a Third-Party token. There are two options if we consider the example of a.com embedding b.com:

1. a.com can include a first-party token for a.com, this will unpartition all subframes on any origins
2. a.com can include a third-party token for b.com via some script on b.com, this will unpartition all subframes for b.com (and their descendants) only

[arichiv]

Also, it's important to note that in case (2), the token must be injected via a script from b.com. a.com cannot inject it itself or the token will be ignored.

[Octophi]

Ok, got it, so we cannot use the same token for both a third-party context and a first-party context.

Currently, I have a page https://joey-dev-ed--c.develop.vf.localhost.sfdcdev.force.com:6101/apex/CanvasPage which iframes in a page on the salesforce.com registrable domain, which then iframes in a page in herokuapp.com. I am inserting a meta tag on the top-level page which looks like

\

I believe this is a first-party token associated with force.com. It still doesn't appear to be working, though. Am I missing something?

[Octophi]

Also not directly related, but let's say I have something which might be served from either of two different domains. Is it possible to specify two origin trial tokens on the page and for either of them to be considered?

[miketaylr]

That should be possible, yes.

[Octophi]

Ok after some more debugging I figured out why it wasn't working - my dev environment was not running https on the default port 443, so the token wasn't associated with the correct origin. Thanks y'all for answering all my questions so promptly.

[miketaylr]

Glad to hear you got it sorted!