Closed shuranhuang closed 1 year ago
Thanks! I used "unpartitioned data" here to align with the description of the API definition: https://github.com/privacycg/storage-access/blob/69042e6cbb095a2cf71e1948a0b9e3ac2861757e/storage-access.bs#L114. But you are right that we are just dealing with cookies for this change. Changed it to use "unpartitioned cookie" in the latest commit. PTAL!
Yes?
On Wed, Jun 21, 2023, 6:02 AM Shuran Huang @.***> wrote:
@.**** commented on this pull request.
In storage-access.bs https://github.com/privacycg/storage-access/pull/174#discussion_r1235943605 :
@@ -162,7 +162,15 @@ When invoked on {{Document}} |doc|, the
ha
ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document.
-1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p| with |global|'s [=environment/has storage access=]. +1. Run the following steps [=in parallel=]:
- Let |Whether the User Agent Allows Unpartitioned Cookie Access| be an algorithm that, given a user agent's settings object |user agent settings|, runs the following steps:
- [=Queue a global task=] on the [=permission task source=] given |global| to:
- If |global|'s [=environment/has storage access=] is false:
- If |user agent settings| allows unpartitioned cookie access, [=/resolve=] |p| with true and return |p|.
Still looking into how to rephrase with mentioning (site, site) tuple instead of doc. But could you PTAL the current steps first? Thanks!
— Reply to this email directly, view it on GitHub https://github.com/privacycg/storage-access/pull/174#discussion_r1235943605, or unsubscribe https://github.com/notifications/unsubscribe-auth/A6ZAQF6R3VNEUCJVQY6CLQDXMIMWDANCNFSM6AAAAAAZFIXSEQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Friendly ping on this @annevk :)
Didn't we want to make
hasStorageAccess()
reflect deny states for the top-level document as well? It seems earlier steps ofhasStorageAccess()
end up returning early with true.
Hmm I don't think that was an expectation on my end. I do see SAA primarily as a mechanism governing cross-site data access, not same-site (or same authority). FWIW I'd be okay with punting on a follow-up.
@annevk PTAL the latest version.
@annevk does it look good with your suggestions applied?
@annevk Friendly ping:)
In the interest of moving things along on our graduation goals, I'll go ahead and merge this without @annevk's explicit sign-off, as there's been plenty of review (and a final positive note). I hope that works for you, Anne. I think @shuranhuang is happy to correct any remaining concerns you may have in another PR.
This commits tries to make hSA match the description in the spec that “This specification defines a method to query whether or not a Document currently has access to its unpartitioned data (hasStorageAccess()) …” by including a check of whether the user agent allows the
document
to access unpartitioned data based on user settings.Fixes https://github.com/privacycg/storage-access/issues/171
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff