Update from non-Chrome browsers on support stance

[LGraber]

Adding an issue to perhaps get this discussed in a meeting if an online discussion is not enough. We are specifically interested in Safari / iPhone webkit support. While we have been partnering closely with Google and following this proposal, as with many proposals, the value is often significantly degraded if it is only partially adopted. Firefox already supports partitioning without opt-in as defined in this spec so they are not as worrying. What is the stance from Apple?

[johannhof]

I sense that you want an agenda+ here? :)

[johannhof]

Also probably worth tagging @johnwilander and @annevk. FWIW, https://github.com/WebKit/standards-positions/issues/50 hasn't seen a lot of movement.

[erik-anderson]

Anne replied in the WebKit standards positions repo. As a result, I'm removing the agenda+ label.

[cmawhorter]

I've been watching both chips and the stance from webkit for a while now, and FWICT, it doesn't seem like chips will be coming to safari any time soon.

Right now... webkit is commenting with "not a priority" and the need is "unclear". To me, that feels like a more political way of saying no.

Perhaps suggesting some steps devs can take to help advocate for it at webkit would move things along?

[krgovind]

@cmawhorter The Webkit team asked the developer community on this thread to share why partitioned storage isn't good enough, and why partitioned cookies may be preferred instead. Sharing your use cases on that thread is a good way to advocate for CHIPS support in Webkit.

[cmawhorter]

thanks for the suggestion. that thread was getting long and i was concerned about doing more harm than good by adding more there. also- i feel like you guys have done a pretty good job of laying out the use cases, so i donno 🤷

[johannhof]

@cmawhorter I can't speak for the WebKit team but in my experience factually describing your use case (similar to how others did in that thread) is very helpful to help browser teams assess whether an API is worth supporting, so I would still encourage you to do that. The harm from "pile-ons" usually comes from uninformative +1 comments, accusations or abuse. If we can avoid that then I think it's always useful to get a sense of the number of developers and use cases impacted.

[johnwilander]

Quick comment from Apple WebKit: Johann is right. From our perspective, more cookies increase memory use and slow down network loads. That’s known and users want performant browsers and a performant web. So we want to hear about legitimate use cases for partitioned cookies.

[h3ku]

Quick comment from Apple WebKit: Johann is right. From our perspective, more cookies increase memory use and slow down network loads. That’s known and users want performant browsers and a performant web. So we want to hear about legitimate use cases for partitioned cookies.

Sharing this here since I think its a better place. https://github.com/privacycg/storage-access/issues/75#issuecomment-1936323957

Has there been any further discussion on this, especially regarding the security implications? I believe the absence of a method for iframes to request partitioned cookies without prompting will lead to decreased security for users.
When developers find that their application's authentication doesn't work due to being inside an iframe, they are likely to transfer the user token from cookies to IndexedDB/LocalStorage, which can be accessed without prompting in a partitioned manner. This is detrimental for users because there is no mechanism to prevent JavaScript from accessing this storage (unlike the HttpOnly attribute for cookies). This means that user tokens would be exposed in the event of a security issue like an XSS attack on the application, or other security concerns such as supply chain attacks with malicious dependencies.
I think having CHIPS support in Safari would be the way to go.