search

privacycg / proposals

New proposals in the Privacy Community Group
https://privacycg.github.io
124 stars 5 forks source link

FedCM as a trust signal for the Storage Access API #46

Closed johannhof closed 5 months ago

johannhof commented 6 months ago

See https://github.com/privacycg/storage-access/issues/196, this was intended to live in FedID CG but chairs thought that because of the way it integrates with SAA it may actually be a potential PrivacyCG work item. Comment from https://github.com/privacycg/storage-access/issues/196:

In the FedID CG we have been https://github.com/fedidcg/FedCM/issues/467 the merits of autogranting Storage Access calls based on existing FedCM grants. Based on the positive reception of this idea we wrote up an explainer of how we think this should work from a technical perspective: https://github.com/explainers-by-googlers/storage-access-for-fedcm

Relevant for this specification is that instead of simply creating a new storage-access permission on a successful FedCM prompt, we'd update Storage Access to look at existing FedCM accounts connections to establish whether storage access can be granted without an additional prompt. Benefits to this include the ability to scope the grant to the privacy boundaries of FedCM, and avoiding two simultaneous permission grants for the user (agent) to manage.

This issue is tracking discussion and integration on the Privacy CG side.

cc @bvandersloot-mozilla @annevk @martinthomson @cfredric @hflanagan @samuelgoto @yi-gu

bvandersloot-mozilla commented 6 months ago

I'm supportive of incubating this. It intuitively makes sense to me that an identity link opt in provides better UI/UX and FedCM already breaks the site privacy boundary.

martinthomson commented 5 months ago

The chairs discussed this and concluded that there was sufficient support to incubate. Consider this OK to start incubating into SAA. We'll defer to the editors on how they want to manage the details, but we can use https://github.com/privacycg/storage-access/issues/196 to track the effort.

johannhof commented 5 months ago

Thanks Martin! We'll follow up with a PR on SAA. With regards to https://github.com/explainers-by-googlers/storage-access-for-fedcm, would you like me to move the explainer to this org?

martinthomson commented 5 months ago

Well, that's a different question. We'd appreciate having some explanation, so adding the document -- or its content -- to the existing storage access explainer(s) seems the right thing to do.