What is the state of third party storage today in the various browsers? about storage-partitioning HOT 9 OPEN

Safari partitions storage, but blocks cookies, as I understand it. When you say storage do you mean both of those? For Firefox we are experimenting with partitioning both for the majority of third party sites (see https://groups.google.com/d/msg/mozilla.dev.platform/f2_hLdfsbq4/lNjFpEZPAgAJ). The hope is that this is more compatible than blocking. (I agree that blocking is attractive though, see also #7/#9.)

from storage-partitioning.

Sorry, thought I had replied earlier but I wound up losing the tab before submitting. Thanks for your response. I was referring more to the non-cookie storage mechanisms.

Safari has since posted what they do with their storage which is super handy. It looks like localStorage is both partitioned and ephemeral, while the rest is just partitioned.

My general thought is that partitioning is safest, and likely the way to go. I just wanted to verify that other browsers were also headed in that direction before doing so, as it's a lot of work. I'm still tempted to provide a subset (or even possibly a new) storage API specific to 3p contexts if other browsers were interested in that.

from storage-partitioning.

The model Firefox envisions is partitioned storage for third parties that can transition to non-partitioned storage when a third party is granted the storage-access permission. For both cookies and storage.

The way I see that transition working model-wise is through replacement: whatwg/storage#88. Which I'd like to to behave similarly to Clear-Site-Data (that would be replacing with an empty storage shelf).

from storage-partitioning.

I chatted briefly with @erik-anderson about Edge's current state. They're currently denying storage to tracker sites and enabling it on storage access grant. Not sure what their long term strategy is though.

from storage-partitioning.

Ah yeah, other browsers have something akin to that too for trackers, but it's not clear that approach scales well to all third parties. Hence the model I mentioned above.

from storage-partitioning.

@jkarlin A quick clarification, would blocking the third party storage or cookies on Incognito Mode have an impact on the user experience? I think this would be good for the user privacy.

from storage-partitioning.

As an update, it seems there is relatively wide buy-in now across implementers for attempting to give third parties (partitioned) storage capabilities by default.

Cookies are tricky: #15.

And whether and how to transition from partitioned to non-partitioned is still to be discussed, but some experiments are ongoing. (See also earlier links to the Storage Standard repository issues.)

from storage-partitioning.

If its of use, Brave currently blocks all 3p storage (network cookies, but also all other storage in frames).

We are moving though (w/in months) to giving all 3p frames dual key'ed storage, life-timed under the 1p frame. We're also considering storage access API to give frames unpartitioned storage, but this is still being experimented with.

brave/brave-browser#8514

from storage-partitioning.

We had a TPAC breakout session on the topic, minutes are at https://docs.google.com/document/d/13oqM9AUnItnDw02zsvpT3DdYYOpIpl0_eTcnbS8rjUY/edit# (which links to some slides).

from storage-partitioning.