Summary: Currently, there are inconsistent rules about the availability
of persistent storage in third-party iframes across different types of
storage (such as caches, IndexedDB, localstorage, sessionstorage, and
cookies). We are looking to unify these behaviors into a consistent set
of rules for when persistent storage should be available. We have
modeled this after our cookie rules, and now use the cookie behavior
preference to control third party access to these forms of persistent
storage. This means that IndexedDB (which was previously unconditionally
disabled in 3rd-party iframes) is now available in 3rd party iframes
when the accept third-party cookies preference is set to "Always". As
our current definition of accepting third-party cookies from "Only
Visited" makes no sense for non-cookie storage, we currently treat this
preference for these forms of storage as though the preference was "Never".
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1184973
Link to standard: N/A.
Platform coverage: All platforms.
Target release: Firefox 43.
Preference behind which this will be implemented: None, although the
preference
"network.cookie.cookieBehavior" will be used to guide the behavior of
storage in third-party iFrames.
DevTools bug: N/A.
Do other browser engines implement this: Based on my quick testing:
Chrome uses it's third party preference to control access to
localStorage and sessionStorage, but not IndexedDB or caches. Safari
appears to use it's preference to control IndexedDB, but not
sessionStorage or localStorage. IE appears to only use its 3rd party
preference for cookies. All other browsers allow IndexedDB in 3rd party
iframes with default settings.
Security & Privacy Concerns: This changes how websites can store data on
the user's machine.
Web designer / developer use-cases: Previously, we had made IndexedDB
unavailable in 3rd-party iframes. Web developers will now be able to use
IndexedDB in 3rd party iframes when the user has the accept cookies
preference set to always.
Michael
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
