privacycg / storage-access

The Storage Access API
https://privacycg.github.io/storage-access/
215 stars 28 forks source link

Storage Access API (requestStorageAccess) #176

Closed andywang219 closed 1 year ago

andywang219 commented 1 year ago

Hello!

Quick question regarding the Storage Access API functionality. Based on the readme, it sounds like if we do not set the Partitioned attribute and use the SAA to grant access to 3rd party sites' cookies, those cookies will then become accessible. Does this require First-Party sets or will this work on its own?

Upon doing some testing in Chrome Canary, it looks like it does not require First-Party sets, but would like to confirm that behavior.

Thank you.

cfredric commented 1 year ago

Hi @andywang219, it sounds like you're mostly asking about behavior in Chrome. Chrome has not yet shipped support for the Storage Access API for authenticated embeds in general; Chrome's support for the Storage Access API currently requires that the top-level document and embedded document belong to sites that are in the same First-Party Set. (And note that even this support is still being rolled out.)

However, Chrome does plan to ship full support for the Storage Access API. There are instructions for how to test locally at the bottom of that README, and a link to file a bug if you find things don't work as I've documented that they should. Thanks!

jagadeeshaby commented 1 year ago

@cfredric - Could you elaborate more on the permission life time.

I have a similar use case where my customers use a SASS application provided by us, say if the user interacts with the page and clicks request access explicitly to grant permission, i see that these permissions are valid up to 30 days. How exactly this 30 days being calculated? is it the days since requestStorageAccess() invocation? Can i keep renewing the permission by invoking requestStorageAccess() to avoid prompts every 30 days?

cfredric commented 1 year ago

Hi @jagadeeshaby, can you please ask questions that are specific to Chrome's plans on my repository? That repository is for Chrome specifically. This repository is for the Storage Access API's specification, so it is not the appropriate place to ask about one particular browser's implementation.

I'll be happy to address your question(s) there :)

jagadeeshaby commented 1 year ago

Done, thanks!

andywang219 commented 1 year ago

@cfredric I think my question was answered in the github repository that you've linked! Just a quick clarification, all three options listed here: https://github.com/cfredric/chrome-storage-access-api#:~:text=Chrome%2Dspecific%20behavior, will be offered correct?

cfredric commented 1 year ago

@andywang219 that's right - though I wouldn't call those "options", since it's a list of things that Chrome will check for, sequentially, when handling a call to document.requestStorageAccess().

If you have followup questions on Chrome's behavior specifically, do you mind asking them on https://github.com/cfredric/chrome-storage-access-api, since this repository isn't really the right place for browser-specific questions? Thanks!

andywang219 commented 1 year ago

Thank you @cfredric !