Unable to request storage API access from hosting app to set cookies from iframe

privacycg / storage-access

The Storage Access API

https://privacycg.github.io/storage-access/

199 stars 26 forks source link

Unable to request storage API access from hosting app to set cookies from iframe #202

Closed abhirajdatta closed 1 month ago

abhirajdatta commented 2 months ago

I have a use case where we are hosting an iframe in a webpage. The iframe is setting a few cookies in the browser, and when Chrome 3P blocking flag is enabled, chrome is unable to set those cookies.

What we want to know is if the webapp hosting the iframe can request storage access for the iframe application to set their cookies? Can we do something onload of the iframe to request storage access API?

johannhof commented 2 months ago

Hi, there are two different proposals that might be relevant here, with a bunch of caveats though:

The requestStorageAccessFor proposal allows top-level sites to request storage access on behalf of another site, however, it currently only works within RWS and, crucially, it still requires a call to requestStorageAccess() from the iframe itself (or header usage, see below), for security reasons.
The Storage Access API Headers proposal (currently prototyping in Chrome) will remove the need for each requestStorageAccess() call, but it will only work if a prior storage access permission had been granted in some way, I.e. the iframe could call requestStorageAccess() once, get user permission, and on every subsequent load use the headers to avoid janky UX.

Can you share some more details about your use case? Are you not in control of the iframe in question?

abhirajdatta commented 1 month ago

My use case -

I have a web app where a 3P widget is hosted. When I visit the page with Chrome 3P flag turned on, I'm asked to login using that widget. In today's world the login is not needed as when the widget loads it automatically sets the cookies which are needed to sign in.

What I need to solve is how will the 3P cookies, which are being set will contineu to be set post 3PCD. Can I as a hosting system do something to make it work? The widgets are hosted using iFrames. Hosting party is Salesforce.

johannhof commented 1 month ago

Thanks! I don't think that there's a lot that you as a hosting system can do in this case, since the 3P needs to do at least some work to opt into 3PC access. As a stop-gap solution, browsers like Chrome and Firefox have per-site user toggles to temporarily disable 3PC blocking, but longer term Salesforce will have to fix this so I suggest that you reach out to them (judging by their engagement on 3PCD overall I can imagine they're aware of and working on a fix to the issue).

I'm closing this as it doesn't seem relevant to Storage Access per se, feel free to ask more general questions about Chrome's 3PCD rollout etc. in https://github.com/privacysandbox/privacy-sandbox-dev-support