explicit revoke and automatic expiry

[michael-oneill]

There should be a way for embedded contexts to explicitly revoke their storage access if they no longer need it, along with a way to pass an expiry time parameter when they call requestStorageAccess. The expiry time would be limited to a overall browser enforced maximum.

[othermaciej]

Giving up storage access is of limited effectiveness, since the frame has already had a chance to read state by then, and could be storing it in a variable. Sure, it won't see new writes, but if all it wanted to do is read a unique ID, it won't be affected. Given all that, what is the use case for revocation?

I'm also unsure about automatic expiration based on a timeout. I guess since there's a browser enforced maximum, this is intended as an action on behave of the user, but I'm not clear on the threat it protects against.

[michael-oneill]

Once storage access is revoked there will be no access to cookies or localStorage to embeds. Anything stored in javascript variables would only apply to the context which had storage access, but in subsequent contexts after expiry it is lost. This less about mitigating a threat than encouraging good data protection discipline by the companies using embeds, e.g. data limitation and freely-given user consent as a legal basis. If consent is obtained it must be capable of being withdrawn at any time, and as easy to withdraw as to give.

[annevk]

Well, we don't have revocation APIs for other permissions. It's not immediately clear to me the site should have a say in that. (It also opens up new abuse vectors that would have to be thought through and closed, for instance.)

[michael-oneill]

If you mean by site the embed, then it does have a say - It is actively calling requestStorageAccess. Once data access is no longer needed it should be able to revoke. The top level site does not have a say, true, but that is another issue. It should have the ability to block all or some embeds being given access, say by FP header.

[hober]

I'm going to close out this issue, as I think the discussion has run its course. Please let me know if we should re-open.