Closed shuranhuang closed 1 year ago
shuranhuang
commented
1 year ago Thanks! I used "unpartitioned data" here to align with the description of the API definition: https://github.com/privacycg/storage-access/blob/69042e6cbb095a2cf71e1948a0b9e3ac2861757e/storage-access.bs#L114. But you are right that we are just dealing with cookies for this change. Changed it to use "unpartitioned cookie" in the latest commit. PTAL!
Rickyoperio
commented
1 year ago Yes?
On Wed, Jun 21, 2023, 6:02 AM Shuran Huang @.***> wrote:
@.**** commented on this pull request.
In storage-access.bs https://github.com/privacycg/storage-access/pull/174#discussion_r1235943605 :
@@ -162,7 +162,15 @@ When invoked on {{Document}} |doc|, the
haISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document.-1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p| with |global|'s [=environment/has storage access=]. +1. Run the following steps [=in parallel=]:
- Let |Whether the User Agent Allows Unpartitioned Cookie Access| be an algorithm that, given a user agent's settings object |user agent settings|, runs the following steps:
- [=Queue a global task=] on the [=permission task source=] given |global| to:
- If |global|'s [=environment/has storage access=] is false:
- If |user agent settings| allows unpartitioned cookie access, [=/resolve=] |p| with true and return |p|.
Still looking into how to rephrase with mentioning (site, site) tuple instead of doc. But could you PTAL the current steps first? Thanks!
— Reply to this email directly, view it on GitHub https://github.com/privacycg/storage-access/pull/174#discussion_r1235943605, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6ZAQF6R3VNEUCJVQY6CLQDXMIMWDANCNFSM6AAAAAAZFIXSEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
shuranhuang
commented
1 year ago Friendly ping on this @annevk :)
johannhof
commented
1 year ago Didn't we want to make
hasStorageAccess()reflect deny states for the top-level document as well? It seems earlier steps ofhasStorageAccess()end up returning early with true.
Hmm I don't think that was an expectation on my end. I do see SAA primarily as a mechanism governing cross-site data access, not same-site (or same authority). FWIW I'd be okay with punting on a follow-up.
shuranhuang
commented
1 year ago @annevk PTAL the latest version.
shuranhuang
commented
1 year ago @annevk does it look good with your suggestions applied?
shuranhuang
commented
1 year ago @annevk Friendly ping:)
johannhof
commented
1 year ago In the interest of moving things along on our graduation goals, I'll go ahead and merge this without @annevk's explicit sign-off, as there's been plenty of review (and a final positive note). I hope that works for you, Anne. I think @shuranhuang is happy to correct any remaining concerns you may have in another PR.
This commits tries to make hSA match the description in the spec that “This specification defines a method to query whether or not a Document currently has access to its unpartitioned data (hasStorageAccess()) …” by including a check of whether the user agent allows the
documentto access unpartitioned data based on user settings.Fixes https://github.com/privacycg/storage-access/issues/171
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff