TAG spec review of Storage Access Heuristics

[amaliev]

こんにちは TAG-さん!

I'm requesting a TAG review of Storage Access Heuristics.

The web is moving to deprecate third-party cookies, and not every site developer will have the time and bandwidth to implement workarounds to mitigate user-facing breakage. In particular, flows involving authentication tokens from identity providers are a common web pattern that relies on third-party cookies to operate. This explainer outlines a proposal for granting temporary storage access when a user satisfies certain predefined flows, chosen to balance web compatibility efforts and security/privacy goals.

• Explainer¹ (minimally containing user needs and example code): https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/explainer.md
• Specification URL: https://github.com/whatwg/compat/pull/253
• Tests: https://github.com/web-platform-tests/wpt/pull/43960
• User research: N/A
• Security and Privacy self-review²: https://github.com/amaliev/3pcd-exemption-heuristics/blob/main/tag-privacy-security.md
• GitHub repo (if you prefer feedback filed there): https://github.com/amaliev/3pcd-exemption-heuristics
• Primary contacts (and their relationship to the specification):
  • Anton Maliev (@amaliev , Google): Primary spec author
  • Johann Hofmann (@johannhof, Google): Primary spec reviewer
  • Dominic Farolino (@domfarolino, Google): Primary spec reviewer
  • Jeffrey Yasskin (@jyasskin, Google): Primary spec reviewer
  • Ben Kelly (@wanderview, Google): Spec reviewer
• Organization(s)/project(s) driving the specification: Google, Privacy Sandbox
• Key pieces of existing multi-stakeholder review or discussion of this specification: MDN docs for this feature: https://developer.mozilla.org/en-US/docs/Web/Privacy/Storage_Access_Policy#automatic_storage_access_upon_interaction Safari docs for this feature: https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/#:~:text=Temporary%20Compatibility%20Fix%3A%20Automatic%20Storage%20Access%20for%20Popups PrivacyCG discussion: https://github.com/privacycg/proposals/issues/42 TPAC presentation: TPAC 2023 - Third-party Cookie Deprecation Exemption Heuristics
• External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5181771549507584

Further details:

• [X] I have reviewed the TAG's Web Platform Design Principles
• Relevant time constraints or deadlines: We’re planning to enable this in Chrome M120 (by 12/14/2023) for the Third-Party Cookie Deprecation.
• The group where the work on this specification is currently being done: Web compat and PrivacyCG.
• The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): WHATWG / Web compat.
• Major unresolved issues with or opposition to this specification: While other browsers ship these heuristics, there is some lack of clarity regarding to what extent we’d like to specify / standardize them. All involved stakeholders intend for them to be temporary, which is why we opted for specification in the Web Compat spec vs. standardization into HTML.
• This work is being funded by: Google

You should also know that… N/A

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

[torgo]

https://github.com/w3ctag/design-reviews/issues/807

[wanderview]

807

Is there some additional context or meaning to this reply. Sorry if I'm misunderstanding, but more explanation would be helpful to me. Thank you.

[torgo]

Sorry for the lack of context @wanderview - that was more intended as a note-to-self as part of the discussion we held on 12-18. We'll be re-addressing during this week's calls.

[torgo]

Hi @amaliev, @wanderview - thanks for sending this our way.

It appears that for this effort to work there needs to be cross-implementer consensus. You've highlighted multi-stakeholder review/discussion - however it looks like these are documenting the heuristics of other engines - establishing that these other engines have heuristics, yes, but is there a consensus on agreeing common heuristics in the Privacy CG and WebCompat efforts?

It seems like a design goal for this work should be to implement the most minimal set of heuristics possible in order to achieve the other goals. Would you agree?

Is there a deprecation plan for the heuristics? In the case of authentication, for example, there could be a stated goal to remove heuristics as sites move to FedCM.

In the intent to ship, you state that users can turn off heuristics in settings - does that mean that third party cookies would be re-enabled, or would that mean heuristics off and third party cookies off as well? It would be helpful to have language about that in the explainer.

[amaliev]

Hi @torgo , thanks for the feedback! Responding inline below.

is there a consensus on agreeing to common heuristics in the Privacy CG and WebCompat efforts?

We brought this to Privacy CG at TPAC and got a consensus on the general need for these heuristics. The details are being worked out in the WebCompat spec in https://github.com/whatwg/compat/pull/253. We have tried to align with other browsers as much as possible, and the few changes we made were to make the heuristics more restrictive, in response to privacy/security reviews internally. We plan to continue talking with other browsers both on the heuristics and on how to reduce their usage on the web.

It seems like a design goal for this work should be to implement the most minimal set of heuristics possible in order to achieve the other goals.

Agreed. I have added this as an explicit goal in the explainer.

Is there a deprecation plan for the heuristics?

I have also clarified this as a long-term goal in the explainer. Other browsers have indicated that they want to deprecate their versions of the heuristics, but do not have specific plans we could align with yet. Deciding on a deprecation timeline will require future collaboration with other browsers and site devs.

does that mean that third party cookies would be re-enabled, or would that mean heuristics off and third party cookies off as well?

The explainer covers this in the User signals and preferences section. Turning off heuristics would mean third-party cookies are blocked in these cases. (Although most browsers also have user settings for re-enabling cookies in case of breakage.)

[torgo]

Hi @amaliev - this looks good to us and we're happy to see this move forward. Please continue to coordinate through the privacyCG and ensure there is mutli-browser consensus.