Open pes10k opened 4 years ago
Very interesting indeed! We've been thinking about something similar — or perhaps with a slightly longer "single-site session" lifetime, where A-under-B keeps seeing the same storage until the user navigates away from B. This would serve additional analytics use cases like "I want a 3rd-party service to count how many pages a user visits before leaving my site", which otherwise end up using the first party's storage.
Neat idea. One possible challenge for this approach is cookies. We've found that partitioned third party cookies cause more compat issues than blocked third party cookies. But maybe this can apply to only non-cookie storages, or it could have some kind of explicit opt-in.
By top level frame is closed do you mean its browsing context group? What if multiple browsing context groups are open with the same sites?
@othermaciej can you say more about the kinds of web compat concerns here? The reason we decided to start prototyping partitioned storage in this way (top-frame length) was to avoid issues of having long lived, partitioned cookies. In this case, since the the embedded frame's storage is either a) ephemeral, partitioned and tied to the top level frame, or b) global-and-long-lived, I expect (hope) that we wouldn't hit the kinds of problems you hit with different sets of long lived cookies, as you'd have in WebKit. But, if your experience suggests otherwise, that would be enormously useful feedback!
@annevk @michaelkleber We hadn't deeply considered those kinds of cases to be honest, and would be very interested to discuss more about use cases and trade offs. It'd at least expand the possible scope of web compat issues (at least in practice, if not in principal), and would be more tricky (both in implementation, and thinking through how it interacts with other standards), but very interested to discuss more and think through the tradeoffs!
Hi all, just to follow up on this, I mentioned the last time this was discussed on PrivacyCG that I'd report back once the study / paper part was done. Well its done! And Brave is finishing up an implementation of the above (looks like we'll land it a complete version in nightly in ~2 wk or so), though what we're shipping is slightly different than whats in the paper or described above.
https://arxiv.org/abs/2011.01267
Happy to discuss more if its of interest (the paper, what Brave is implementing, etc), but just mostly wanted to let the group know that Brave is still going forward with this and getting close to shipping.
Just a heads up for the group, this has now been implemented in Brave https://brave.com/privacy-updates-7/
@annevk and @pes10k - Would you like to talk about this proposal in the upcoming Cookies Ad Hoc discussion or a regular teleconference?
Sure, Id be happy to share more about what Brave does if it'd be of interest to others (we've modified our policy slightly. No preference on my end between an ad hoc or "regular" call; happy to go with whichever the chair think would be best
cc @annevk to add this into the Cookies Ad hoc discussion.
Sure, Id be happy to share more about what Brave does if it'd be of interest to others (we've modified our policy slightly. No preference on my end between an ad hoc or "regular" call; happy to go with whichever the chair think would be best
We did not get to this as part of the cookie discussion. It's probably also a broader topic as it applies to all partitioned state, including partitioned cookies, presumably. As such, marking agenda+ again for consideration for a future meeting.
Reviewing this in advance of the PrivacyCG and wanted to note:
two eTLD+1 equiv frames on the same page may wish to work together (and to use storage to do so)
This is a fairly common use case for ad creatives in order to avoid repetitive creatives across a single page and one we'd like to see continued support for. Right now there are a bunch of creatives that do so using localStorage or cookies but presumably without this feature those creatives would push publishers to include a coordinating script on page, which would be an undesirable outcome.
I have an additional scenario that's not super feasible today but likely would be if we had more partitioning knobs for sites to use.
Consider a scenario where top-level site A.example
embeds B.example
via two iframes and that it wants separate/partitioned storage between the two B.example
iframes.
A concrete example of where this would be useful is if iframed origin B.example
provides an embeddable chat app. Top-level site A.example
wants to allow two different users of B.example
to be loaded concurrently without B.example
needing any special awareness of it.
If A.example
could specify some partitioning key (perhap a "partitioning index" attribute set on the iframe prior to load), it could opt into more isolation for the embeddee if desired. The site could also choose to not provide a custom partitioning key in which case we would revert to whatever the desired default behavior ends up being.
@erik-anderson I could actually see how that could be very useful as a web developer. I agree that the use case is not very feasible today, but I could see it easily enabling all new very useful development approaches, and giving more control on these things to the top level page is definitely desirable.
Currently frames can either have storage blocked or allowed, w/o an in between. This is unideal for several reasons. Some examples include
Safari's current approach of persistent, partitioned 3p storage allows more than is needed in such cases, and other browsers "all block or all allow" approaches allow either too little (storage is blocked), or way too much (un partitioned storage).
The proposal here is to provide an in-standard way of defining the following: