johnwilander
commented
4 years ago Hi! Thanks for filing!
I believe https://github.com/privacycg/storage-access/issues/14 already covers this albeit mixed up with some other concerns. Can you have a look at that issue and see if they are the same?
sleyhane
Regarding the scope of storage access, I'd like to request that sub-frames from the same domain also acquire storage access when their parent acquires storage access. This approach could be applied recursively down the frame tree.
When a user grants storage access to an iframe, they need not be concerned whether the contents of that iframe are a single page or made up of several pages from the same domain.
I've hit this issue as a developer making use of the Storage Access API. In our case, we are the third-party serving content from a Learning Management System inside of another (first-party) system. We don't have a choice but to make use of frames in order to support learning industry standards. Our main page holds a Javascript API, and then has two frames: one for the training module and one for course navigation.
In Safari 13.1, we're able to successfully acquire storage access for our main page, but then our sub-frames fail because they do not get access to our authentication cookie.
While our specific scenario might fall into the 'non-goals' category, I still believe this request makes sense. I can see this issue applying to others and don't see how it adds any further threat to tracking.