Design Review #906

#906: Extending Storage Access API (SAA) to non-cookie storage

Opened Oct 2, 2023

こんにちは TAG-さん!

I'm requesting a TAG review of Extending Storage Access API (SAA) to non-cookie storage.

We propose an extension of the Storage Access API (backwards compatible) to allow access to unpartitioned (cookie and non-cookie) storage in a third-party context, and imagine the API mechanics to be roughly like this (JS running in an embedded iframe):

// Request a new storage handle via rSA (this should prompt the user) let handle = await document.requestStorageAccess({all: true}); // Write some cross-site localstorage handle.localStorage.setItem("userid", "1234"); // Open or create an indexedDB that is shared with the 1P context let messageDB = handle.defaultBucket.indexedDB.open("messages");

The same flow would be used by iframes to get a storage handle when their top-level ancestor successfully called rSAFor, just that in this case the storage-access permission was already granted and thus the rSA call would not require a user gesture or show a prompt, allowing for “hidden” iframes accessing storage.

Explainer¹ (minimally containing user needs and example code): https://privacycg.github.io/saa-non-cookie-storage/
Security and Privacy self-review²: See below
Primary contacts (and their relationship to the specification):
- @arichiv Google Chrome
- @johannhof Google Chrome
Organization(s)/project(s) driving the specification: Google Chrome
Key pieces of existing multi-stakeholder review or discussion of this specification:
- WebKit Position: https://github.com/WebKit/standards-positions/issues/262
- Mozilla Position: https://github.com/mozilla/standards-positions/issues/898
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://crbug.com/1484966

Further details:

I have reviewed the TAG's Web Platform Design Principles
The group where the work on this specification is currently being done: https://github.com/privacycg/
This work is being funded by: Google Chrome

You should also know that...

There has been increasing developer and implementer interest in first-party DOM Storage and Quota Managed Storage being available in third-party contexts the same way that Cookies already can be. In the absence of such a solution, we would in effect be pushing developers to migrate to Cookies from other storage mechanisms. There are significant tradeoffs between Cookie and non-Cookie storage (size, flexibility, server exposure, network request size, etc.) that could cause a detriment in user experience from a privacy, security and performance perspective. To prevent sub-optimal use of cookies and to preserve context, we propose a solution for developers to regain 3p access to unpartitioned storage in select instances to avoid user-facing breakage in browsers shipping storage partitioning.

We'd prefer the TAG provide feedback as (please delete all but the desired option): 💬 leave review feedback as a comment in this issue and @-notify @arichiv

What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
- This feature may expose first-party storage in third-party contexts for purposes of supporting existing login, payment, and other flows.
Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
- Yes, we expose only requested storage mechanisms and none by default.
How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
- This feature does not differentiate between the type of information in web storage.
How do the features in your specification deal with sensitive information?
- This feature does not differentiate between the type of information in web storage.
Do the features in your specification introduce new state for an origin that persists across browsing sessions?
- This feature re-uses an existing permission prompt for the requestStorageAccess function that is cached per-top/third-party origin.
Do the features in your specification expose information about the underlying platform to origins?
- No.
Does this specification allow an origin to send data to the underlying platform?
- No.
Do features in this specification enable access to device sensors?
- No.
Do features in this specification enable new script execution/loading mechanisms?
- No.
Do features in this specification allow an origin to access other devices?
- No.
Do features in this specification allow an origin some measure of control over a user agent’s native UI?
- No.
What temporary identifiers do the features in this specification create or expose to the web?
- It will be possible to detect if permission was granted to access the first-party storage by trying to load the storage.
How does this specification distinguish between behavior in first-party and third-party contexts?
- This feature can only be used in third-party contexts.
How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
- This feature only provides access to first-party storage within the same browsing context (does not break out of private/incognito mode).
Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
- Yes
Do features in your specification enable origins to downgrade default security protections?
- This feature does enable a third-party context to 'break out' and access first-party context storage.
How does your feature handle non-"fully active" documents?
- This feature cannot be used until the document is active.
What should this questionnaire have asked?
- N/A

Discussions

2023-11-13

Minutes

Dan: Not sure I understand Motivation since it's saying devs will use [3rd party?] cookies but in the intro it says 3rd party cookies are being deprecated.

Yves: they imply that there is a mechanism to request accesss to stored cookies... To me if you have a shared storage like that then it's quite dangerous.

Dan: reviews what we said about storage access api Let's take it as read that Storage Access doesn't open the door to reinventing 3p cookies.

Yves: it's already there in the previous proposal... Anne / webkit has an issue with this one though https://github.com/WebKit/standards-positions/issues/262#issuecomment-1743104792

Dan: we could ask how they are going to respond to Anne's comment.

Yves: they mean using cookies as a storage mechanism that they can access through the storage api - and those can be 3rd parties... they just want to extend that to plain storage and not using cookies as a storage access mechanism...

Dan: in which case - i'm not sure I understand Anne's issue... what are the additional privacy & security concerns that they feel are unresolved?

Max: what they are trying to say is that this proposal don't introduce more security issues than using cookies...

Dan: it's clear the proposers think that. But webkit people seem to disagree.

Sangwhan: ...trying to untangle... I don't think it's a security & privacy concern..

Yves: i think it's an API issue...

Sangwhan: doesn't seem like a disagreement on the developer / user need. More the shape of the API...

Dan: feedback we could offer?

Sangwhan: only part where we could weigh in is .. is where the storagebucket API is considered a wrapper... to enable to enable (gate) storageaccess in different ways. that's an API philosophy issue and maybe an architectural issue. That's where the lack of consensus sits. I'd have to think about it... Really the question is - you have to look at 2 places to access the storage in different ways - maybe that's not a good thing.

...We could respond: we would have to think about the implications of the pattern - there's a pattern to be defined here regarding gating storage access... we could weigh in. if we suggest going down the sotagebucket route that would have worse ergonimics... supposed to be used to have more deterministic behavour under pressure... but it does have the right kind of abstratcions - but as of today i don't think its the right tool ... I can see both sides.

<blockquote> Hi @archiv - thanks for this - we appreciate the cross-implementer consensus that seems to be developing around the user needs of this feature. We understand the user need and appreciate the effort to not add any additional security or privacy issues. We've been discussing the "API shape" issue in today's breakout. We're going to discuss further in our plenary call and we hope to leave further feedback. </blockquote>

2023-11-20

Minutes

Dan: can we provide some guidance to the spec authors here?

bumped 2 weeks

2023-12-18

Minutes

Amy: was this waiting on Sangwhan to comment on API shape?

Amy: concerned about the wording in Privacy & Security section - "we believe non-cookie storage and communication APIs don’t enable any capability that could not be built with cookie access." Comparing against status quo instead of comparing against web without 3p cookies...

bump to plenary

2024-01-08

Minutes

Sangwhan: ... distilling a pattern ... the API shape seems to be fine... looking back... this is more of a design pattern ... we don't havea a princple... if this ships as is then this becomes a pattern....

Dan: what's the pattern?

Sangwhan: based on the webkit comment ... https://github.com/privacycg/storage-access/issues/102 "Don't re-invent access control and follow a similar pattern if you want to introduce access control..." We could let this go an distill the pattern out ... into a principle later down the road...

Dan: propose closing this "satisfied" with the following comment:

@archiv thanks again for sending this our way. We're happy with the way this is proceeding. We're happy with the use cases and API shape. And we're pleased to see the multi-implementer consensus taking shape.

</blockquote>

Sangwhan: +1

no dissenters

closed as satisfied