Page MenuHomePhabricator
Create Task
Maniphest T359926

Test cross-domain cookie access with the Storage Access API and Related Website Sets
Open, Needs TriagePublic
Actions

Description

Set up two websites on different registrable domains, and test what cross-domain cookie mechanics are enabled by RWS.

The things we want to check:

  • Can you read/write third-party cookies on the server side without user interaction (in a cross-domain AJAX request or invisible pixel)?
  • Can you read/write third-party cookies on the client side without user interaction? Can this be made 100% unobtrusive to the user? (Presumably that would require an invisible iframe.) Can the parent web page react to the process finishing? (Esp. in the scenario when something goes wrong - is there something similar to a failure handler in an AJAX request, or something that can be done with a timer?)
  • T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow could be folded into this (it's essentially the same thing, just without calling the Storage Access API, and always doing user interaction).

There are two possible approaches (requestStorageAccess, which is cross-browser and could be used to build a workflow that works on non-RWS-supporting browsers by falling back to a permission prompt; and requestStorageAccessFor which is more powerful and probably the only way to use AJAX requests, but Chrome-only), we should check both.

Note that there are two ways to register a domain in RWS (primary/associated and service), with some notable differences in behavior.

For background on the Related Website Sets spec (previously called First-Party Sets), see T345589: Investigate the First-Party Sets / Related Website Sets browser API. See Chrome docs on how to set custom RWS settings in a browser. This might require registering some throwaway domains, because of the .well-known requirements.

We should also check whether disabling exemption heuristics makes a difference (see docs for Chrome), to make sure we aren't attributing something to RWS that's actually only possible due to temporary heuristics.

Webkit has some extra rules for using the Storage Access API, and a debug mode to help understand what's going on.

Related Objects
Search...

Event Timeline

Tgr created this task.Mar 12 2024, 12:05 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 12 2024, 12:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added parent tasks: T345249: Mitigate phase-out of third-party cookies in CentralAuth, T345589: Investigate the First-Party Sets / Related Website Sets browser API.Mar 12 2024, 12:06 PM
Tgr renamed this task from Test cross-domain authentication with Related Website Sets to Test cross-domain cookie access with Related Website Sets.Mar 12 2024, 12:33 PM
Tgr updated the task description. (Show Details)Mar 12 2024, 2:48 PM
Tgr updated the task description. (Show Details)Mar 12 2024, 2:50 PM
Tgr mentioned this in T359948: Test cross-domain cookie access with Storage Access API.Mar 12 2024, 3:02 PM
Tgr claimed this task.Mar 12 2024, 4:45 PM
Tgr moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Mar 12 2024, 5:18 PM
Tgr updated the task description. (Show Details)Mar 14 2024, 11:01 AM
Tgr updated the task description. (Show Details)Mar 14 2024, 1:54 PM
Tgr updated the task description. (Show Details)Mar 14 2024, 3:49 PM
Tgr added a comment.EditedMon, Apr 15, 1:42 PM

The code is in https://gitlab.wikimedia.org/tgr/sul3-rws, the test site is at https://sul3-rws-test.toolforge.org/ (and the other one at https://sul3-rws-login.toolforge.org/ but that doesn't need to be visited directly). It's not quite working as expected yet, I'm still figuring out the various Storage Access API related behaviors.

The two most interesting things I learned so far:

  • requestStorageAccess[For] requires a user gesture, even with RWS. There is still a substantial difference between requestStorageAccess and requestStorageAccessFor + RWS: the former needs a user gesture within the embedded resource, the second one within the top-level document. So that could be fulfilled by clicking on edit / typing into the edit form / etc. This is probably enough for the "authenticate temp user before saving an edit" use case, but not enough for CentralAuth-style autologin on first visit.
  • navigator.permissions.query lies most of the time and just returns prompt (unless the user manually accepted a previous request in the past), even if the request would be accepted without a prompt due to RWS/heuristics/whatever. It will also return prompt if the user explicitly denied the request in the past (and so there will be no prompt). Supposedly this is for security reasons, to limit the information collection ability of malicious websites. This makes RWS, and in general the Storage Access API, harder to use if we want to avoid popups. Potentially to the extent where it doesn't make sense to use it anymore, but not sure about that yet.
Tgr renamed this task from Test cross-domain cookie access with Related Website Sets to Test cross-domain cookie access with the Storage Access API and Related Website Sets.Mon, Apr 15, 9:02 PM
Tgr updated the task description. (Show Details)
Tgr merged a task: T359948: Test cross-domain cookie access with Storage Access API.
Tgr added a subscriber: pmiazga.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL