Open bvandersloot-mozilla opened 2 years ago
Thanks for cutting the issue!
To summarize the prompt spam prevention possibilities besides FPS discussed elsewhere:
requestStorageAccessForSite
and requestStorageAccess
so that there is less risk of contention.The latest comment then adds:
One other idea I thought of that I'd like to put forward is the base URL of the script making the request.
I assume this is some rule like (with "match" possibly also meaning same site or same origin):
If the base URL of the script making the request does not match the top-level URL, reject the request.
i.e., <script src="a.com/rsafor.js">
calling requestStorageAccessForSite(a.com)
on top-level site b.com
would be rejected.
I’d be curious about whether there's any concern with CDN URLs (where a script authored by the top-level site but hosted on a CDN may be incorrectly blocked), and with bundled JS (where the true caller might be obscured, though the top-level site’s bundling of it may indicate approval), though I do think it is another good possibility.
I was actually thinking some rule like:
If the base URL of the script making the request does not match the argument, reject the request.
i.e., <script src="a.com/rsafor.js">
calling requestStorageAccessForSite(a.com)
on top-level site b.com
would not be rejected, but <script src="b.com/rsafor.js">
calling requestStorageAccessForSite(a.com)
on top-level site b.com
would
The idea is to indicate an acceptance by a.com
to allow storage access requests on its behalf on b.com
. This indication comes in the form of a script that calls rsaFor being served to a page on b.com
(w/ CORS acting as the control point).
We discussed this issue a bit at TPAC, and I'm posting a summary below to ensure it matches @bvandersloot-mozilla's recollection (hopefully I didn't garble the message 😄):
SameSite=None
cookies would likely be needed to indicate embedded party opt-in. I think we agreed that CORS was likely better than the <script>
base URL, though (CORS is being discussed on the security improvements issue, so we'll have to stay tuned).requestStorageAccessForOrigin('site.example')
calls could have them resolve without a prompt (with user opt-in via prompt being possible after that number was reached). Based on this, I think there is a path forward for those browsers that don't support FPS.Does this match your recollection? Thanks again for all the discussion and feedback!
For non-FPS browsers to avoid prompt spam, promptless grants are doable, but the number of those grants for a given embedded domain will need to be limited to avoid widespread sharing. In other words, a limited number of top-level sites with identical requestStorageAccessForOrigin('site.example') calls could have them resolve without a prompt (with user opt-in via prompt being possible after that number was reached). Based on this, I think there is a path forward for those browsers that don't support FPS.
I would replace "non-FPS browsers" with Firefox, but otherwise I agree. Some other browsers are opposed to promptless storage access grants and may also be opposed to FPS. This puts them in a tough situation that I think we left unresolved and wanting a broader conversation on.
Otherwise this matches my recollection. Thank you for the write up!
There is concern that prompt spam will be a problem where first party sets are not adopted. See prior discussion on privacy-cg/storage-access#107. Forking here.