Page MenuHomePhabricator
Create Task
Maniphest T359948

Test cross-domain cookie access with Storage Access API
Closed, DuplicatePublic
Actions

Description

Set up two websites on different registrable domains, and test what cross-domain cookie mechanics are enabled by requestStorageAccess() and requestStorageAccessFor() (the Storage Access API and its Chrome extension). This is similar to T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets except the Storage Access API (without RWS) requires user interaction by design, so instead of an invisible iframe we'll need an iframe or popup with a button, at least some of the time.

The things we want to check:

  • Whether both client-side and server-side cookie access is possible, once the user gave permission.
  • Can we avoid unnecessary user interaction? (Ie. also test hasStorageAccess(), not just requestStorageAccess[For](). If the user has storage access, ideally we'd just use an invisible iframe or an AJAX call.)
  • In the case of requestStorageAccess(), how non-obtrusive can we make the process?
  • T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow could be folded into this (it's essentially the same thing, just without calling the Storage Access API, and always doing user interaction).

We should also check whether disabling exemption heuristics makes a difference (see docs for Chrome and Firefox), to make sure we aren't attributing something to Storage Access that's actually only possible due to temporary heuristics.

Webkit has some extra rules for using this API, and a debug mode to help understand what's going on.

Related Objects
Search...

Event Timeline

Tgr created this task.Mar 12 2024, 3:02 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 12 2024, 3:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a comment.Mar 12 2024, 3:03 PM

Relevant (but outdated) description from the parent task:

Use the requestStorageAccess() or requestStorageAccessFor() API, which allow access to third-party cookies. (requestStorageAccess is better supported, but needs to be called by the embedded resource, so it's only usable for iframes; requestStorageAccessFor is called by the embedder.) These would probably be part of using first-party sets, but can be used without those as well; however, then they would require explicit user opt-in (and separately for each domain), making them less practical. Also, they can only be called after user interaction.
support: requestStorageAccess (caniuse) is supported in Firefox and Safari, supported but requires first-party sets in Edge, behind a feature flag in Chrome. requestStorageAccessFor is Chrome-only (chromestatus).

Tgr added a parent task: T345249: Mitigate phase-out of third-party cookies in CentralAuth.Mar 12 2024, 3:03 PM
Tgr updated the task description. (Show Details)Mar 12 2024, 3:14 PM
pmiazga claimed this task.Mar 12 2024, 4:04 PM
Tgr moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.Mar 12 2024, 4:45 PM
Tgr added a comment.Mar 12 2024, 5:10 PM

Back when I looked at requestStorageAccessFor, it was still in development. Now caniuse says it's available, but only works between sites of the same RWS set. So it might not be relevant for this task at all.

Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Mar 12 2024, 5:18 PM
Tgr updated the task description. (Show Details)Mar 14 2024, 11:00 AM
Tgr updated the task description. (Show Details)Mar 14 2024, 12:17 PM
Tgr mentioned this in T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow.
Tgr updated the task description. (Show Details)Mar 14 2024, 12:22 PM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)Mar 14 2024, 12:29 PM
Tgr updated the task description. (Show Details)Mar 14 2024, 2:28 PM
Tgr updated the task description. (Show Details)Mar 14 2024, 3:49 PM
Tgr added a comment.Apr 15 2024, 9:00 PM

This is similar to T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets except the Storage Access API (without RWS) requires user interaction by design

As it turns out it requires user interaction with RWS as well. There is probably no point in having two separate tasks, there is a large overlap between the things that need to be checked.

Tgr closed this task as a duplicate of T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets.Apr 15 2024, 9:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits