Contact emails cfred...@chromium.org, johann...@chromium.org, shuu...@chromium.org
Explainer https://github.com/cfredric/chrome-storage-access-api https://github.com/privacycg/storage-access/blob/main/README.md Specification https://privacycg.github.io/storage-access Summary The Storage Access API provides a means for authenticated cross-site embeds to check whether they have access to their unpartitioned cookies and request access to unpartitioned cookies if they are blocked. Chrome already supports the Storage Access API across sites within the same First-Party Set, in conformance with the specification, and now we intend to prototype support for user permission prompts and user-agent-specific permission behaviors in line with what other browsers are shipping. Note that Edge previously sent an I2I <https://groups.google.com/a/chromium.org/g/blink-dev/c/e5fu5Q06ntA/m/UUqPuA8hEQAJ> for the Storage Access API feature, but we felt it was appropriate to send a new I2P given that Chrome previously shipped <https://groups.google.com/a/chromium.org/g/blink-dev/c/V9PzoCvIIIs/m/CZ4JT7YaAgAJ> support for the Storage Access API gated on First-Party Sets membership and did not support prompts. Blink component Blink>StorageAccessAPI <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorageAccessAPI> Motivation Chrome currently supports the Storage Access API without a user prompt – access is only granted based on First-Party Sets. However, some user experiences rely on access to unpartitioned cookies in cross-site contexts and are not supported by the existing solution. The Storage Access API with prompts provides a way for sites to request cross-site cookie access to enable these use cases. We aim to implement this in a way that does not overwhelm users with prompts or compromise their privacy. Initial public proposal https://github.com/whatwg/html/issues/3338 TAG review https://github.com/w3ctag/design-reviews/issues/807 TAG review status Positive <https://github.com/w3ctag/design-reviews/issues/807#issuecomment-1431464692> Risks Interoperability and Compatibility There is minor compatibility risk as Firefox and Safari already differ slightly in their user-agent-specific prompt requirements. Chrome's planned behavior is closest to Safari's current behavior, and we aim to standardize as much of this user-agent-specific behavior as possible over time. Gecko: Shipping WebKit: Shipping Web developers: Positive There has been great developer interest in the Storage Access API, given that it provides the only predictable way of working with cross-site cookies in many browsers. Various developers have chimed in on https://github.com/whatwg/html/issues/3338 and filed issues on https://github.com/privacycg/storage-access. Other signals: Edge has shipped Blink's current implementation of this behavior, which differs from Chrome's plans. We have kept (and intend to continue keeping) Edge engineers in the loop about these changes and there will be feature flags to control this behavior. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? No, because prompt behavior and user-agent-specific behaviors are not testable. The Storage Access API itself is tested at https://wpt.fyi/results/storage-access-api. Flag name StorageAccessAPI, PermissionStorageAccessAPI Requires code in //chrome? True Estimated milestones Desktop 117 Android 119 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5085655327047680 Links to previous Intent discussions https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/e5fu5Q06ntA/m/1KF5oNEXAgAJ https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/V9PzoCvIIIs/m/b4R9G0xoCQAJ This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABS%3Dos_qUnSf-qo8PjDFUcOFGDR1qjQhFOPSbPiF%3DEf%2BW5hPnA%40mail.gmail.com.
