Comments (4)
Hi @LGraber, thanks for opening this issue. If I understand correctly you don't actually require cookies for authentication with your service, because of the shared identity provider concept, you simply require cookies to "work" in order to save your session state and run the application, correct?
I might not fully understand this sentence:
The only information we need shared across sites is IDP related and seems to be getting addressed
Does that mean that your integration flow does not yet work in Firefox Strict Mode (which does partitioning) or that it does? :)
from storage-partitioning.
Partitioned Storage actually has not shown any problems for us (in my testing). Like I said, I picked a topic but maybe should have picked StorageAccess API since that does not work (and is the option being pushed by Safari).
Our cookie (session and csrf) is used for maintaining an Authenticated Session. If we lose the cookie, we have to ask to re-authenticate. In our cases, this can involve going back to an IDP (which might just work if their cookies are still valid/working). Storage Partitioning right now was the one case that appears to be 'just working' (as outlined in my writeup) but I am continuing to try and test 'corner' cases.
Would you recommend I put this in a different repo?
from storage-partitioning.
It's great to hear that Partitioning is working out well for you! If you encounter any bugs/strange behavior/bad developer experience on Firefox side, we'd love to hear about it on Bugzilla
If you have issues with the Storage Access API specifically, yes, please file them in https://github.com/privacycg/storage-access/. However, note that not all of Safari's restrictions and behavior are necessarily captured in the Storage Access API specification.
For example, Firefox and Edge do not require prior 1st party user interaction to be able to call requestStorageAccess, and (I think both) will allow for requesting storage access without a prompt on the first 5 origins. So that might work better for you. Some of these differences are intentionally left open in the spec, to allow browsers to differentiate on privacy features, but generally we'd like to avoid having a bad developer experience because of it. Again, if you have any specific use cases where the Storage Access API is making things really difficult for you, feel free to open an issue there :)
(cc @johnwilander)
Thanks!
from storage-partitioning.
Thanks! I will copy this over to there. I have tested the StorageAccess API on different browsers and have documented our behavior and the differences in an internal table. Some implementations appear to be able to work with our scenario but others are practically a dead end and it is difficult to tell what to expect because in the end, we want to work in all the browsers our customers use. Thanks for the response and I will continue to test out Partioning
from storage-partitioning.
Related Issues (20)
- Definition of third party HOT 5
- website not loading: secure connection failed HOT 1
- Storage partitioning allowances for custom protocol frames HOT 3
- Cookie partitioning issues on PSL domains HOT 18
- consider including a "cross-site ancestor chain" bit in the storage key HOT 12
- Sharing of HTTP and fetch caches HOT 3
- Partitioned popups HOT 1
- A way to define an origin as safe, to disable partitioning HOT 5
- A1 -> B -> A2 nested documents and cookies (and SameSite=None) HOT 2
- Expose partitionedness HOT 3
- What about SameSite? HOT 1
- SessionStorage partitioning HOT 10
- Consider affordance for embedded frames in extension pages based on externally_connectable HOT 3
- Mention :visited
- First-party sets and Storage Partitioning HOT 5
- Ability to get localStorage value from third party iframe always blocked? HOT 9
- How to check programmatically that storage partitioning is enabled/disabled? HOT 1
- Opt out
- Accessing session storage in nested documents HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from storage-partitioning.