Contact emails

cfred...@chromium.org

Explainer

None

Specification

https://github.com/privacycg/storage-access/pull/213

Summary

Adjusts the Storage Access API semantics to strictly follow the Same Origin 
Policy, w.r.t. security. I.e., using document.requestStorageAccess() in a 
frame only attaches cookies to requests to the iframe's origin (not site) 
by default.

Note: the CookiesAllowedForUrls enterprise policy and/or Storage Access 
Headers may still be used to unblock cross-site cookies.


Blink component

Blink>StorageAccessAPI 
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EStorageAccessAPI%22>

TAG review

Not requested since this is a small change to the existing Storage Access 
proposal that improves security and has no impact on privacy or user 
experience.

TAG review status

N/A

Risks

Interoperability and Compatibility

The Storage Access API specification is imprecise about its integration 
with Fetch, and does not define whether same-site, cross-origin requests 
ought to be credentialed after an iframe has used the Storage Access API.

Chrome and Firefox both currently include cookies on these same-site 
cross-origin requests, so there is some risk to making their behaviors 
diverge. We have discussed this with other browser vendors and they 
expressed that they were not concerned with Chrome making this change.

However, the Storage Access API currently has very little usage in Chrome 
(0.08% of pageloads). The cross-origin, same-site subset of usage is an 
even smaller portion (9% of network requests from affected pageloads). So, 
the impact of breakage is small regardless.

Sites that are broken by this can fix themselves using the recently-shipped 
Storage 
Access Headers 
<https://groups.google.com/a/chromium.org/g/blink-dev/c/gERgwZfN_-E/m/QIJbT1zUCgAJ>
 
feature.


Gecko: No signal

WebKit: No signal

Web developers: Positive (
https://github.com/privacycg/storage-access/issues/210#issuecomment-2527687508
)

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that 
it has potentially high risk for Android WebView-based applications?

None


Debuggability

Cookies (and the reasons why they are included/excluded) are debuggable via 
the Network panel in Chrome DevTools.


Will this feature be supported on all six Blink platforms (Windows, Mac, 
Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests 
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
?

Yes

https://wpt.fyi/results/storage-access-api/requestStorageAccess-cross-origin-fetch.sub.https.tentative.window.html


Flag name on about://flags

storage-access-api-follows-same-origin-policy

Finch feature name

StorageAccessApiFollowsSameOriginPolicy

Requires code in //chrome?

False

Tracking bug

https://crbug.com/379030052

Estimated milestones

136


Anticipated spec changes

None anticipated.

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5169937372676096?gate=5134161335287808

This intent message was generated by Chrome Platform Status 
<https://chromestatus.com/>.

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f5819aa2-8113-4a59-8e77-65aff0d585ddn%40chromium.org.

Reply via email to