Closed bretticus-mc closed 6 months ago
johannhof
commented
7 months ago @arichiv I think non-cookie storage for Storage Access API solves this, right? And for ABA it will just auto-grant. Using SAA would also be a way to get your cross-site cookies back, although we're thinking about re-allowing this when the inner A requests are CORS-enabled, also described in https://github.com/explainers-by-googlers/standardizing-cross-site-cookie-semantics/issues/9, cc @dcthetall
wanderview
commented
7 months ago As I understand it, for these two scenarios:
A2 will have partitioned storage separate from A4 due to the ancestor chain bit in the first scenario.
bretticus-mc
commented
7 months ago Just to clarify, It's Iframe 1: A1 -> B -> A2 Iframe 2: A1 -> A3
Both iframes are on the same site. But A2 being embedded in B is enough to cause a separate storage partition.
Is non-cookie storage for the Storage Access API going to be implemented in Chrome? I'll be able to call document.requestStorageAccess({all: true}); and it will grant A2 access to the SharedWorker in A3?
wanderview
commented
7 months ago Is non-cookie storage for the Storage Access API going to be implemented in Chrome?
This is available in an origin trial now. It looks like SharedWorker support was added in M123:
https://developers.google.com/privacy-sandbox/blog/saa-non-cookie-storage
arichiv
commented
7 months ago The intent is to ship the API in Chrome 125
bretticus-mc
commented
7 months ago Thanks, the ship date was my next question.
And for ABA it will just auto-grant.
Will the SAA request still need to be tied by a user-gesture for the auto grant? Or can I just call document.requestStorageAccess() programmatically and it be auto-approved?
johannhof
commented
7 months ago No user gesture will be necessary in ABA settings, it'll be granted immediately.
We have an iframe on Site A that embeds Site B, which embeds Site A.
Site A also has an iframe that embeds Site A.
The two embedded Site A’s each start a SharedWorker.
I’m seeing in my configuration this is creating two separate SharedWorkers on Site A. Should they not use the same SharedWorker because both iframes share the same TLD+1?
I’m also seeing that the Site A iframe embedded in Site B doesn’t get access to the top-level Site A’s unpartitioned cookies. Shouldn’t the Site A iframe inherit the top-level’s cookies since they would be first-party cookies? This currently works with a Partitioned Cookie but I see this functionality is going away with the addition of an Ancestor Chain Bit.