Comments (5)
I think for WebKit, we'd be more comfortable with just blocking all third-party cookies. Partitioned storage is dangerous in combination with Storage Access API, unless it's made ephemeral. But ephemeral storage doesn't have that much advantage over local variables in JavaScript.
from storage-access.
I forgot to say that __k2 cookies would always be partitioned,
from storage-access.
I think for WebKit, we'd be more comfortable with just blocking all third-party cookies. Partitioned storage is dangerous in combination with Storage Access API, unless it's made ephemeral. But ephemeral storage doesn't have that much advantage over local variables in JavaScript.
Partitioned cookies can always be simulated via postmessage,sending a first-party cookie value or other origin specific data point, to embedded contexts.
If partitioned cookies are dangerous then so is postMessage and third-party script running in top level context.
The problem with it is its slow, error prone, and opaque.
k2 cookies avoid that because they can be immediately detected, they need a user prompt etc.
They also avoid the postMessage and extra turnround but are more transparent and privacy preserving.
from storage-access.
Partitioned cookies persist past the point of any frame to the site being opened and perhaps past browser quit (if not ephemeral).
Third-party script running in top level context is indeed dangerous.
from storage-access.
Forward-duping to #75.
from storage-access.
Related Issues (20)
- Promise resolution in "determine the storage access policy" seems wrong? HOT 6
- Editorial: stop using first/third-party as terms
- Reloading frame after granted storage access to enable efficient site isolation HOT 8
- Editorial: Remove comments referencing lines of code
- Editorial: Consider removing implementation-defined steps because we have requesting permission to use HOT 1
- How does storage access interact with Dedicated, Shared and Service Workers? HOT 38
- Simplify WebDriver API for blocking cross-site cookies HOT 7
- [Per-frame] Permission grants are usable by cross-site iframes HOT 2
- hasStorageAccess() always queues a task to resolve with the environment's boolean? HOT 8
- Top-level calls to navigator.permissions.query for SAA should probably return "granted"
- Feature request: Auto-grant storage access without requiring user interaction or explicit API call in cases determined to be safe HOT 4
- Clarify intended semantics of `document.hasStorageAccess` HOT 5
- Clarify browser specific divergence with requestStorageAccess HOT 4
- Shared worker use cases doesn't seem to work HOT 3
- Storage Access API (requestStorageAccess) HOT 7
- Request Storage access Page Security model HOT 2
- Definition of Unpartitioned data incorrect/inconsistent
- Cookie store changes unspecified HOT 1
- Regression: consulting permission state from a task's steps
- FedCM vs Storage Access API use case HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from storage-access.