Viewing media from different domains - cultural heritage interoperability

[tomcrane]

Thank you @johnwilander for pointing us at the work of this group.

Our motivating use case is:

The user is logged in to Image Publisher with domain name image-publisher.example and is now visiting viewer.example, which allows users to view images from multiple image publishers using the accounts they have with those publishers. The user taps/clicks on a link to an image from image-publisher.example in order to view it at full resolution, which requires authenticated access via cookies. The onclick event handler in the viewer.example application calls the Storage Access API to request cookie access needed to authenticate the user cross-site to image-publisher.example. The user has not used viewer.example before and thus gets prompted to allow or disallow storage access, decides to allow storage access, and the browser retrieves the full image from image-publisher.example, rendered to the user via an <img> tag (or <canvas>, or similar) in the viewer.example page.

This use case is further described in this 3 minute read.

Differences from current storage-access use cases

In current storage-access use cases, the publisher's code (in an iframe) is asking permission for the browser to send cookies to it (the publisher); whereas here the application page is asking permission for the browser to send cookies to the publisher. The application doesn't need access to the cookies, just that they be sent to the publisher to establish the identity of the user.

API

(staying as closely as possible to the existing example but acknowledging that it might be a different API)

Here the code belongs to the viewing application; the document is the viewer itself, rather than an embedded iframe from the publisher.

var promise = document.hasStorageAccess("publisher.example");
promise.then(
  function (hasAccess) {
    showImage();
  },
  function (reason) {
    // now we know the browser isn't going to send cookies even if it has them
    var promise = document.requestStorageAccess("publisher.example");
    promise.then(
      function () {
        showImage();
      },
      function () {
        // Storage access was denied.
      }
    );
  }
);

function showImage(){
  // Here's where we might establish whether the user is logged in to publisher.example
  // and if not, send them over there first, before trying this:
  theImage.src = "https://publisher.example/image.jpg";
  // (and react to this failing, if it fails)
}

[johnwilander]

Hi! Thanks for filing. It's hard for me to follow with "publisher," "viewer," and "application." Can we reframe as top frame and partitioned iframe? Are you suggesting that the top frame requests storage access on behalf of the partitioned iframe? If so, why is that a requirement?

[azaroth42]

Thanks for the super prompt response! I hope the following helps clarify the use case we have.

There are no iframes in this scenario. The top frame in the viewer.example document needs to ask permission for cookies that the browser has for publisher.example be sent to publisher.example when requests are made to that host, such that they can be used to establish that the user has logged in.

The scenario is, essentially the "deep linking / hot linking" of images, where the images require cookies to be sent across domains. For example, try the demos for these applications:

• https://projectmirador.org/
• https://universalviewer.io/

That pull in images from third parties ... but imagine that cookies needed to be sent from those application sites to the image hosting sites. Thus they (called viewer in the use case) would need to do something like the code that @tomcrane wrote above.

[michael-oneill]

In the first example there does not seem to be any third-party cookies (cookies sent to iiif.bodleian.ox.ac.uk) The authentication looks like it is in the url e.g. https://iiif.bodleian.ox.ac.uk/iiif/image/e58b8c60-005c-4c41-a22f-07d49cb25ede/info.json If that value is derived from first-party state (i.e. cookies) there should be no problem (with e.g. ITP)? There might be in future with first-party cookie restrictions but they will probably only about reducing expiry times in some circumstances.

[tomcrane]

Although real world applications are usually far more complex, the essence of the problem can be reduced to a very simple scenario.

Starting condition - user is logged in at publisher.org and has a session. On a web page at publisher.org, user can view access controlled images because the session cookie is sent with the image request.

<img src="https://publisher.org/image.jpg" />

Over at viewer.org, the user is working on an art annotation project using this same image from publisher.org. Even though a direct first party request for https://publisher.org/image.jpg works for the user (because they have a session), when that request is initiated from viewer.org, the image is broken because the browser policy no longer permits third party cookies to be sent.

<img src="https://publisher.org/image.jpg" />

Cross domain interoperability for access controlled images relies on third party cookies. Recently implementations have had to make sure they were using SameSite headers correctly, but it still worked.

Real world example:

https://wellcomelibrary.org/item/b1987280x

The image resources are on a different domain from the web page. Access to these resources requires a cookie, which in this case is granted by publisher.org if you accept the terms (this simple pattern is called "clickthrough" in our spec).

This page still works in my version of Chrome, but it doesn't work in Safari any more, and soon won't work in Chrome if third party cookies are removed.

We understand that the web feature that enables this interoperability is the same web feature that is abused by trackers. Consensual opt-in to third party cookies via browser API solves this more elegantly. The other part of our spec is about how viewer.org client code learns whether the user has credentials for https://publisher.org/image.jpg without having to know anything about the credentials themselves, which might be a use case for isLoggedIn - but that's a different issue!

[azaroth42]

@michael-oneill wrote:

In the first example there does not seem to be any third-party cookies ...

Apologies for being unclear, that was what I meant by "Imagine" ... those examples don't have cookies, but there are many very similar situations where there are cross-site cookies needed, as @tomcrane explains above.

[johnwilander]

We understand that the web feature that enables this interoperability is the same web feature that is abused by trackers. Consensual opt-in to third party cookies via browser API solves this more elegantly.

That is the Storage Access API. Have the image source offer a document you can load in an iframe where there’s a button to request storage access. When the user taps, the image source calls the Storage Access API and the browser will apply its logic for user permission and open up cookie access if the user allows. At this point, the iframe can let the top frame know that it can now load the images.

One of the reasons why the top frame is not allowed request storage access on behalf of partitioned sites is that there’s no appropriate time to do so. On page load would take us back to modal prompts as soon as you land on a page. Tapping/clicking somewhere on the page will only be marginally better. I believe we would very quickly get to sites asking the user for permission to allow cookies for tracking on page load or first tap.

The other part of our spec is about how viewer.org client code learns whether the user has credentials for https://publisher.org/image.jpg without having to know anything about the credentials themselves, which might be a use case for isLoggedIn - but that's a different issue!

It’s highly unlikely that sites will be intentionally able to gain any knowledge about cross-site resources’ unpartitioned state. If that would be allowed, it could be used for fingerprinting similar to login fingerprinting (see “Disables Login Fingerprinting” in our blog post).

It would have to be the partitioned resource provider inspecting its state in some form. How to prevent collusion to achieve login fingerprinting is still unresolved.

[tomcrane]

Hi @johnwilander

the image source calls the Storage Access API and the browser will apply its logic for user permission and open up cookie access if the user allows. At this point, the iframe can let the top frame know that it can now load the images.

This sounds great if I'm reading it right - I was looking at the README which says:

If an iframe is granted storage access through the API, only that calling iframe and its subresources should have access to storage.

The key thing in the above scenario would be that the top page knows it is OK to set the .src of its image tags (for example) once it receives a message from the image source's document in the iframe, because it now can be sure that any cookies the user might have for the image source will be sent. The image tags are in the outer page, not in the iframe; the iframe is just acting as a messaging mechanism - is that right?

[tomcrane]

(PS - related topic, you might be interested in how we use an iframe to allow the image source to pass a token to the client application, for it to gain knowledge of the client's current access to the image source's resources. The client uses this token as a proxy for the actual credential - a cookie, usually - on API interactions. The token can't be use to access the protected resources (it is not itself a credential), but it can be used to probe API endpoints which give the HTTP status that the protected resource would return if the user requested it with the credential represented by the token).

https://iiif.io/api/auth/1.0/#interaction-for-browser-based-client-applications

[johnwilander]

Hi @johnwilander

the image source calls the Storage Access API and the browser will apply its logic for user permission and open up cookie access if the user allows. At this point, the iframe can let the top frame know that it can now load the images.

This sounds great if I'm reading it right - I was looking at the README which says:

We may still have references to per-frame access in the spec. However, we have switched to a per-page storage access model based on developer feedback and cross-browser discussions: #3.

WebKit/Safari has per-page storage access out in current betas: https://webkit.org/blog/11545/updates-to-the-storage-access-api/

I believe both Firefox and Edge are already shipping with per-page storage access.

If an iframe is granted storage access through the API, only that calling iframe and its subresources should have access to storage.

The key thing in the above scenario would be that the top page knows it is OK to set the .src of its image tags (for example) once it receives a message from the image source's document in the iframe, because it now can be sure that any cookies the user might have for the image source will be sent. The image tags are in the outer page, not in the iframe; the iframe is just acting as a messaging mechanism - is that right?

Yes. But I would point out that the iframe crucially provides an execution context where storage access can be requested. JavaScript running in the iframe is running in the origin for which the desired cookies are stored. That’s how the browser knows which site is requesting access.

[michael-oneill]

I know it might not be as smooth a UI but have you considered opening another window (i.e. a new tab) to the image serving site with window.open, then posting suitable authentication information back to the window.opener with postMessage? The opened window could inform the user what is happening etc.

[tomcrane]

...opening another window (i.e. a new tab) to the image serving site with window.open, then posting suitable authentication information back to the window.opener with postMessage?

This is pretty much how our current flow works:

https://iiif.io/api/auth/1.0/

This flow, while fiddly, continues to work (although a more formal way of doing this would be nice). The exchange of information is still going to be possible, but the simple HTTP requests (e.g., from an img tag src) that would then follow that initial exchange won't work, without third party cookies.

I think our next step is to prepare a demonstrator of the auth flow that includes the storage-access request, and see if we can get the flow working again in Safari using that.

[michael-oneill]

But couldn't you encode the authentication in the src url? Keep it in a first-party cookie between sessions.

[tomcrane]

The goals/assumptions of the spec included:

• Institutions have different existing access control systems.
• Most IIIF viewers are client-side JavaScript applications, and may be served from a domain that is different from, and thus untrusted by, the image services that it is required to load.
• Similarly, the domain of the authentication services may be different from that of a viewer or the IIIF-based content. Therefore, the authorizing server must not require any prior knowledge of the domain hosting the viewer.
• A IIIF client should not authenticate the user itself; the server hosting the content must be responsible for capturing credentials from a user and the IIIF viewer needs no knowledge of or access to this exchange.
• Institutions should be able to use their existing authentication systems without modification.

Encoding the auth information into the request URLs for the assets themselves would mean that libraries, museums, universities etc need our auth protocol protecting content resource requests, instead of whatever protocol they use at the moment. With the current spec they don't need to do that; acquisition and format of credentials is external to the spec. The spec's protocol is about information leakage from the publisher to compliant viewers, which is a simpler thing to have running alongside SSO or whatever, for these particular image resources.

But yes, you're right - without third party cookies, the current spec would need to be replaced by something completely different - a specific auth protocol that encodes credentials into the request URL, rather than an adjacent protocol for revealing information about the user's ability to access a resource (but crucially, never credentials), independent of the auth protocol in use.

[michael-oneill]

I understand. So the cookie method would would work, as long as the third-party cookies were partitioned and not ephemeral?
The user would have to log in via an iframe and the credentials communicated back to be stored by the first-party
Is the issue now about getting the postMessaging script onto the image source site?

[johannhof]

So this is a lot to process, sorry if this has already been answered, but where does the requirement for supporting plain <img> tags in this flow come from? The use cases you're drawing up greatly benefit from using iframes as viewers for these 3rd party images, and the storage access API fits perfectly into that, AFAICT.

With iframes, institutions could continue using their access control backend for the images in addition to a JS file that runs the iframe document to check for storage access, display UI to notify the user, etc.