Chrome 141/Firefox 140 storage access activation per origin#28682
Conversation
|
Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs). |
Co-authored-by: Chris Fredrickson <cfredric@users.noreply.github.com>
|
Hi @caugner! Do you have time to look at this one? |
caugner
left a comment
There was a problem hiding this comment.
Should we actually move this into a behavioral subfeature? (This sounds like a spec change!?)
api/Document.json
Outdated
| "firefox": { | ||
| "version_added": "65" | ||
| "version_added": "65", | ||
| "notes": "From version 140 onwards, activating the `storage-access` permission via `requestStorageAccess()` results in third-party cookies being sent only with requests to the calling embed's exact origin (see [bug 1965817](https://bugzil.la/1965817)). Before version 140, it resulted in third-party cookies being sent with requests to the calling embed's site." |
There was a problem hiding this comment.
I asked internally for confirmation that this is the right bug.
Yup - the corresponding spec change was privacycg/storage-access#213. |
Thanks! Based on that, the subfeature could be called |
To clarify, how would you represent this in the current setup? This isn't a separate feature; it's represented as notes hanging off the |
I would add a subfeature |
OK, I've done so. |
api/Document.json
Outdated
| "notes": "Client-side storage access granted per-page ([see explanation](https://developer.mozilla.org/docs/Web/API/Storage_Access_API#how_it_works))" | ||
| "notes": [ | ||
| "Client-side storage access is granted per-page ([see explanation](https://developer.mozilla.org/docs/Web/API/Storage_Access_API#how_it_works)).", | ||
| "`storage-access` activation results in third-party cookies being sent with requests to the calling embed's site." |
There was a problem hiding this comment.
Either this note describes the expected behavior before the spec change (then let's remove this note), or it describes a particular Chrome behavior before the spec change (then let's remove the note to the subfeature).
There was a problem hiding this comment.
Rats, I meant to remove that note, but forgot. Removed now.
I also updated the URL on the remaining note line to point directly at the note that explains "granted per-page", as the existing URL wasn't very effective.
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
Summary
While using the Storage Access API, when embedded content activates a previously-granted
storage-accesspermission via therequestStorageAccess()method, 3rd party cookies are now only sent with requests to the calling embed's exact origin.Previously, 3rd party cookies were sent with requests to the calling embed's site.
This behavioral change has occurred in:
This PR adds notes in relevant places to document this change.
cc @cfredric / @hamishwillee — I'd appreciate your input on this one, folks.
Test results and supporting details
Related issues