CHIPS doesnt handle cross-domain authentication in iFrame scenario if 3PCs are blocked

[divaypandey]

Assuming a "customer care" chat-service exists on chat.site, if the user authenticates on chat.site setting a JWT/RT cookie and a client site, lets say car-dealer.site embeds an iFrame-chat-box hosting chat.site, if 3PCs are blocked, the chat.site's RT/JWT-cookies aren't forwarded to the iFrame (whose src is set to chat.site, hosted inside car-dealer.site) and the user remains unauthenticated

Now, lets say the user authenticates from within the iFrame and a partitioned cookie is set, in that case the JWT/RT is available if the user is within car-dealer.site, but now if they go to car-spares.site, they're unauthenticated again in the chat service's iFrame and have to follow the authentication route again

The general problem will exist on any authenticated-embeddable context that intends to live across websites

Hence, enforcing CHIPS while blocking 3PCs will be a breaking change for this scenario, how does CHIPS intend to handle this?

[annevk]

You need to use the requestStorageAccess() API for such a scenario. CHIPS won't help you.

[krgovind]

@divaypandey As Anne mentioned, you are looking for Storage Access API. The API is already supported on Safari, Firefox, and Edge; and we are in the process of rolling out support in Chrome. In the meantime, you can also test the API locally in Chrome using these instructions. If you have any feedback, please leave it on on the Storage Access API GitHub repository.