Contact emails mreichh...@chromium.org, kaustub...@chromium.org, johann...@chromium.org Explainer
https://github.com/mreichhoff/requestStorageAccessForSite Specification We do not have a draft specification yet, but we hope to further incubate and develop the API, and specify it as an extension of the existing Storage Access API <https://privacycg.github.io/storage-access/>. TAG review Not yet filed. Blink component Blink>StorageAccessAPI Summary This intent proposes an extension to the Storage Access API <https://privacycg.github.io/storage-access/> (which was previously implemented <https://groups.google.com/a/chromium.org/g/blink-dev/c/e5fu5Q06ntA/m/1KF5oNEXAgAJ> in Chromium by the Microsoft Edge team). The extension allows a top-level site to request access to unpartitioned ("first-party") cookies on behalf of embedded sites. We intend for sites to utilize this API as one of the replacements for third-party cookies, which are being phased out <https://privacysandbox.com/intl/en_us/open-web/#the-privacy-sandbox-timeline> in Chrome. This extension of the Storage Access API inverts the direction of the `requestStorageAccess` request, which is called by the embedded site once it receives a user interaction. Browsers will have discretion to grant or deny access. See the explainer <https://github.com/mreichhoff/requestStorageAccessForSite> for much more information, including about the elevated trust requirement <https://github.com/mreichhoff/requestStorageAccessForSite#elevated-trust-requirement> . Motivation Multiple browsers supporting the Storage Access API have implemented an internal API similar to requestStorageAccessForSite, indicating it is useful for websites that depend on authenticated/personalized content served from cross-site origins. We intend it to aid in unblocking certain cross-site, same-First-Party Set <https://github.com/krgovind/first-party-sets/> use cases previously addressed by the now-archived SameParty cookie attribute <https://github.com/cfredric/sameparty>. Risks Interoperability and Compatibility The new API is in the process of being specified. Because it is additive, it does not present a significant risk to existing code (with the only risk being sites that would have added an identically named method to the document object). Feedback is currently being sought; these are TODOs but need not block prototyping. Firefox: TODO Edge: TODO Safari: TODO Web developers: TODO Ergonomics See the key scenarios <https://github.com/mreichhoff/requestStorageAccessForSite#key-scenarios> and design discussions <https://github.com/mreichhoff/requestStorageAccessForSite#detailed-design-discussion> on the explainer. Note that some details, like origin vs site scoping, are still being determined. Security Please see the security and privacy considerations section of the explainer <https://github.com/mreichhoff/requestStorageAccessForSite#privacy-and-security-considerations>. There are some details, like potential CORS requirements, that are still being considered. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? Yes, all blink platforms are in scope. Is this feature fully tested by web-platform-tests <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromium.googlesource.com%2Fchromium%2Fsrc%2F%2B%2Fmaster%2Fdocs%2Ftesting%2Fweb_platform_tests.md&data=04%7C01%7CAmanda.Baker%40microsoft.com%7C84c5e8a01bc1471e348f08d7c6b940f0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637196371372857279%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=M79bBRPkECK4YmZwW1JAdcqHCofWo6qpz3TFFwnvqB8%3D&reserved=0> ? web-platform-test coverage will be added as part of this effort, once the spec is sufficiently defined. Feature flag (until launch) --enable-features=StorageAccessAPI-rsaFor (note that the larger StorageAccessAPI is behind the flag: StorageAccessAPI; the new flag name is subject to change) Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5122534152863744 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35awh2_aqmFtWgOdo40vYVnWf%2BkEv3o7jxZ8DLbWq0eC3eQ%40mail.gmail.com.
