-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
requestStorageAccessFor #808
Comments
Hi all! We have done an initial review, and have a few questions to begin the conversation:
We'd be grateful for your thoughts. Thanks! |
Hi Hadley, thank you for taking a look and thanks for inviting me on your recent call to explain some of this in detail. I added summarized answers below (credit to @mreichhoff who wrote much of this up).
Some example use cases are:
In general,
As we discussed, like However, with user prompts comes another large abuse vector. Sites may try to trick or annoy users into granting permission, and even just seeing too many well-intentioned prompts may cause harm on the user and the overall ecosystem. There are a few prompt abuse scenarios and mitigations that we have been able to incorporate in the spec:
This is a baseline defense, but for SAA, browsers have chosen to add additional implementation-defined steps to reduce user annoyance (heuristic auto-grants in Firefox, 1P user interaction requirement in Safari, FPS auto-grants in Chrome). We’re confident that similar measures can be employed in the case of The Chrome team is working with other browsers on APIs that would expose more relevant user prompts on the web for a variety of use cases in the long term, such as FedCM. While we don’t think that those are quite ready yet, the flexibility of the Storage Access API (including this proposal) makes me hopeful that we can achieve a graceful developer transition path away from potentially confusing user experiences in the long run. Finally it’s worth mentioning security as an aspect of abuse. As I had mentioned, we did an extensive analysis of the security posture of the Storage Access API (including this proposal) and came out with a few recommendations that are being followed here. Specifically, security requirements include explicit invocation of
That is a great question, it wasn’t clear enough in the spec! A note was added in a recent commit to address this concern. The idea is that the permission descriptor used by the API has a field called
Like for |
Hi @annevk @bvandersloot-mozilla as co-editors with @johannhof of StorageAccess API could either/both of you let us know your perspective on this proposal? We understand that requestStorageAccessForOrigin was a departure from StorageAccessAPI. Is this direction likely to gain your support? |
I outlined my (and WebKit's) concerns with this feature in WebKit/standards-positions#125 and privacycg/storage-access#107. If you have two websites A and B. A can ask the user if its requests to B can include the user's cookies for B. All without B's involvement. That's not good for security. It's potentially also bad for B's reputation. |
Thanks Anne,
I'm not sure if you are up to date with the changes we made on the proposal to both require CORS on subresource requests as well as require rSA calls for iframes to opt into this. I don't think there's a significant risk to B's security here. |
@johannhof CORS doesn't make it secure. (Unless you have made changes to CORS such that you require a preflight before sending a request with credentials, but I didn't see anything of the sort.) |
Not sure if it's worth having the full discussion here but CORS protects against cross-site leaks. CSRF could also be done through top-level navigation? Anything else you're concerned about? Would be nice to capture it in the repo. |
I have concerns about the SSO use cases. The goals listed are explicit features of FedCM. I understand that this feature could ship faster than FedCM but adding something new that will need to be maintained and exposes additional complexity, security, and privacy risk just for interim support is generally not a good path forward. Furthermore, while I understand that some of the cross-site behaviors can be useful to some users, they can get in the way of others. For example, if a user wants to maintain different experiences on different TLDs, for example the same site in different countries, how would they do that? |
Hi Peter, thanks for your questions.
Can you be more specific as to which goals are explicit features of FedCM? I'm not sure I really understand. I think comparing this to FedCM isn't quite apples-to-apples and really depends on the context and use cases we're talking about. It should be noted that FedCM in its current form (which already shipped) doesn't really aim to solve SSO, but federated/social login (though, naturally, we think that the FedCM user experience is a promising model for future attempts at generalizing on more identity flows such as SSO).
This is why this proposal exists, in a way. Post cross-site cookies, browser vendors make very different choices about how they may derive permission for sites to share a common user identity. Some browser vendors always prompt users in these situations, e.g. Safari. Firefox and Edge would prompt sometimes but usually auto-grant via their 5-domain heuristic. At Chrome we're still working on our prompt design but we hope to absorb a lot of these prompts into known cross-site user flows that are registered via FPS. This API is compatible with all these choices and other future UX explorations. So, this question ultimately depends on which browser you're using. In Chrome, the user might disable FPS in their cookie settings, for example. It should be noted that sites may be adding this integration for good reasons and it's not clear whether most users generally have enough technical understanding to know why they would choose to isolate two different top-level sites. |
Hi @torgo, apologies, we haven't yet made progress on those but they have definitely not dropped off our radar. We still intend to address (or at the very least better position ourselves on) the reputation/security concerns brought up with prompting rSAFor. |
Thanks @johannhof, we'll keep this open for now. For our TAG processes, we are keen to not let issues stand open and inactive for too long, so we'd be grateful if you could give us a quick update within 3-4 weeks at the most. |
Thanks for the heads up @hadleybeeman, just to avoid misunderstandings 3 - 4 weeks doesn't really match our current planning and capabilities to follow up here, as we want to make sure we can come up with a constructive proposal that goes beyond the FPS-based opt-in that Chrome offers right now (which doesn't exhibit these concerns but doesn't have cross-browser support). I understand that it's hard for you to review this with our response to these issues outstanding, so we're happy to adjust to your preferred way of handling blocked requests (e.g. ask for review again in a few months). |
Hi @johannhof given that, we're going to set the milestone of early September to check back on this. In the mean time please ping if there's been any update we need to be aware of. |
Hey @johannhof, it's been a little while. What is the status of this request? (I know that I should be tracking this more closely as Privacy CG chair, but the churn got a bit ahead of me.) We're considering closing this. Let us know if we shouldn't. |
Hi @johannhof. As per your previous posts, it sounds like you're not in a position to progress this right now. We're going to close the issue, so it doesn't keep coming up in our reviews. Feel free to come back to it or open a new issue when you're ready. |
Ah, apologies for missing this. That seems fair. We're still working through some of the mentioned challenges for a potential prompting version of this, there's a lot of complexity to disentangle. We'll come to this group with the results of our work, which may not be on this thread but via other API proposals such as storage access headers. |
Hello TAG!
I'm requesting a TAG review of requestStorageAccessFor.
Enabled-by-default cross-site cookie access is in the process of being deprecated (or is already deprecated) by several major browsers. Multiple substitutes have been proposed, like the Storage Access API, the SameParty cookie attribute previously in the First-Party Sets proposal, and partitioned cookies in the CHIPS proposal.
However, the Storage Access API is primarily intended for authenticated embeds, a use case which entails
<iframe>
use,SameParty
has been abandoned, and partitioned cookies (while preferred for most cases) aren't always applicable. This raises questions like:The requestStorageAccessFor API is intended to solve these concerns, with a requirement of additional trust signals and security controls to ensure safety.
Further details:
There are concerns about explicit embeddee opt-in without dependence on First-Party Sets, which should be addressed by:
requestStorageAccess
to gain access to cookiesPrompt spam has also been discussed, with implementation-defined steps to prevent abuse, much like is done with the larger Storage Access API. Note that at least Safari remains concerned with the proposed mitigation, though we hope to continue to discuss it in PrivacyCG.
You should also know that the proposed functionality was implemented internally in both Safari and Firefox, but not web exposed. Instead, it was automatically applied on a case-by-case basis. This proposal intends to enable site authors to use such functionality while still maintaining sufficient guardrails to prevent abuse.
Much of the feedback on the Storage Access API review is likely to apply here, as well.
We'd prefer the TAG provide feedback as:
🐛 open issues in our GitHub repo for each point of feedback
The text was updated successfully, but these errors were encountered: