Comments (9)
We cannot exclude localhost
from these rules. It's used for non-developing purposes as well.
from storage-partitioning.
I was just being precise that reading nor writing is blocked. You are simply seeing different storage as a result of partitioning. If you were to get an exception then you would be blocked (and perhaps have a tracking domain).
from storage-partitioning.
Cool, never hurts to ask ;)
What about the rest of the question? Is that the intention to block localStorage read access from an iframe on a third party domain when it was set by the third party domain previously?
from storage-partitioning.
Access ought to be partitioned, as per the README. If it's actually blocked (i.e., writing fails) that might be because your domain is classified as some kind of tracking domain in certain user agents.
from storage-partitioning.
Writing to localStorage isn't blocked - I can see that the token is written to localStorage on auth.example.com if I go to any page there. It's reading localStorage from auth.example.com when it's in an iframe on app.example.com. I believe this is the specific scenario outlined in point 1 of the readme here, namely "Beyond visiting, it can also allow A to infer specific state from B that depends on the user". In this case, I need A to read from B specific state about the user, namely that they have an authentication token. If that is the intention here, then I'll need to implement a different solution to get the user's token and store it on app.example.com as well.
Where can I check to see if my actual domain is listed as a tracking domain?
from storage-partitioning.
Are you saying that localStorage isn't accessible between top-level auth.example.com and auth.example.com embedded on app.example.com? That behavior (origin- vs. site-scoped storage) is specific to Safari right now, see https://bugs.webkit.org/show_bug.cgi?id=247565
from storage-partitioning.
@johannhof - that is what is happening and it's happening on Chrome 115. We only stared seeing it recently and randomly as only a subset of users are being opted-in to chrome://flags/#third-party-storage-partitioning = enabled, and developers started reporting that they weren't able to login/authenticate anymore when developing locally.
@annevk - I'm not seeing any exceptions, only undefined for the value from localStorage.getItem('token')
Oddly enough, we have one other application that is on a different domain (app2.example.com) that also authenticates against auth.example.com and we saw this behavior with Safari last year, so I already have a solution in place that should work for this specific scenario as well.
Also of note, our existing solution does not work if third party cookies are disabled.
from storage-partitioning.
@csnate to be clear, are auth.example.com and app.example.com actually cross-site in reality (i.e. different domains, like auth.com and app.com)? Then yes that's the intended effect of Storage Partitioning. Can you apply the solution you used for your other domain here as well?
from storage-partitioning.
In our specific scenario, yes - they are app.example.com and localhost. In the other scenario, they are different sub domains - app.example.com and foo.example.com.
And thanks for the confirmation/information. I thought this was working as intended, but wanted to make sure before I went ahead with a little more complicated solution.
from storage-partitioning.
Related Issues (20)
- Scenario Validation (Embedded Component (Tableau) ) HOT 4
- Storage partitioning allowances for custom protocol frames HOT 3
- Cookie partitioning issues on PSL domains HOT 18
- consider including a "cross-site ancestor chain" bit in the storage key HOT 12
- Sharing of HTTP and fetch caches HOT 3
- Partitioned popups HOT 5
- A way to define an origin as safe, to disable partitioning HOT 5
- A1 -> B -> A2 nested documents and cookies (and SameSite=None) HOT 2
- Expose partitionedness HOT 9
- What about SameSite? HOT 1
- SessionStorage partitioning HOT 10
- Consider affordance for embedded frames in extension pages based on externally_connectable HOT 3
- Mention :visited
- First-party sets and Storage Partitioning HOT 5
- How to check programmatically that storage partitioning is enabled/disabled? HOT 1
- Opt out
- Accessing session storage in nested documents HOT 2
- How to use deprecation trial for unpartitioned third-party storage from an iframe
- BroadcastChannel being blocked need permissions dialog HOT 25
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from storage-partitioning.