Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

localStorage partition - how to access localStorage with third party storage partition rollout #10

Open
lqw1111 opened this issue Oct 18, 2023 · 13 comments
Open

localStorage partition - how to access localStorage with third party storage partition rollout #10

lqw1111 opened this issue Oct 18, 2023 · 13 comments

Comments

@lqw1111
Copy link

lqw1111 commented Oct 18, 2023
edited
Loading

Hello,

Our website will break with the third party storage partition rollout, looking for the solution of that.
we have two website: for example
website A called: iframe.com
website B called: web.com

iframe.com is embeded in web.com as an iframe. On the web.com will postMessage() to iframe.com. Once iframe.com received the message from web.com, then it will call localStroage.setItem('message', messageObject); to save the content of the message to localStorage.
We found that with the third party sotrage partition rollout, the iframe.com can not read the message content which saved by web.com from localStorage anymore. That because, we save the message when we are in web.com, on web.com, we use postMessage so that iframe.com can save the message in localStorage.

In this case, how can I let iframe.com can read the message on the iframe.com itself, rather than on the web.com.
Does implement first party set can help.
Please kindly suggest solution, and if there is any example, that's would be great.

Thank you in advanced!
@wanderview
Copy link
Owner

There is a proposal to support localstorage via requestStorageAccess(). See:

https://arichiv.github.io/saa-non-cookie-storage/

In the meantime you can use the deprecation trial to get unpartitioned storage access back.

https://developer.chrome.com/blog/storage-partitioning-deprecation-trial/

@lqw1111
Copy link
Author

lqw1111 commented Oct 19, 2023

Hi @wanderview , Thanks for sharing, but I found that the method proposed in https://arichiv.github.io/saa-non-cookie-storage/ doesn't work (document.requestStorageAccess({all: true});)
requestStorageAccess doesn't accept any parameters. Is there any chrome version request or some requirement I missed to use this API?
And by the way, does it need to implement something like first party sets, etc so that the method requestStorageAccess can allow us to access other domain's localStorage.

Any suggestion is welcome. Thank you!

@wanderview
Copy link
Owner

Its not implemented/shipped yet.

@lqw1111
Copy link
Author

lqw1111 commented Oct 20, 2023

Gotcha, Thanks @wanderview

Is there anything we can do today to resolve the impact of third party storage partition? (let the iframe.com can access the localStorage set by web.com

And when does the https://arichiv.github.io/saa-non-cookie-storage/ (document.requestStorageAccess({all: true});) will be ship?

Thank you!

@wanderview
Copy link
Owner

Did you see this part of my reply?

In the meantime you can use the deprecation trial to get unpartitioned storage access back.

https://developer.chrome.com/blog/storage-partitioning-deprecation-trial/

@lqw1111
Copy link
Author

lqw1111 commented Oct 25, 2023

I see. Thank you @wanderview
I have another question about the Related website sets, and 3rd party cookies.
If web.com and iframe.com were added into the same related websites group, does it means web.com and iframe.com can share their localStorage and cookies. And they can access each other's cookies/storage without calling the requestStorageAccess API?

Based on the document, i think the answer is YES,
But actually, I am test running my chrome in this way

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --enable-features=FirstPartySets,StorageAccessAPI,StorageAccessAPIForOriginExtension,PageInfoCookiesSubpage,PrivacySandboxFirstPartySetsUI --test-third-party-cookie-phaseout --use-first-party-set="{\"primary\": \"https://web.com\", \"associatedSites\": [\"https://iframe.com\"]}" https://iframe.com

it means web.com and iframe.com already in the same group, but I still can not access the cookies directly. I still need to use requestStorageAccess API to grant the permission first, then I can access the cookies.
Can you help me understand the reason? Or that's the expected behavior (whatever in the same related website sets or not), we expect to use requestStorageAccess api to access the cookies?

Please kindly suggest here. Thank you so much for any help. Appreciate!!

@wanderview
Copy link
Owner

Correct, RWS still requires requestStorageAccess(). I believe in Chrome the RWS means a prompt will not be shown.

@lqw1111
Copy link
Author

lqw1111 commented Oct 25, 2023

Good morning @wanderview !

What do you mean by "a prompt will not be shown"?
In my case, i put web.com and iframe.com in the same group/sets.
I disabled the third party cookies on chrome. Liwhen I try to access the iframe.com's cookie from web.com by using requestStorageAccess

If I disabled the third party cookies (screenshot)
image

When I check the permission in this way

navigator.permissions.query({name: 'storage-access'}).then(res => {
      console.log(res.state);
      if (res.state === 'granted') {
        // Permission has already been granted
        // You can request storage access without any user gesture
        rSA();
      } else if (res.state === 'prompt') {
        // Requesting storage access requires user gesture
        // For example, clicking a button
        const btn = document.createElement("button");
        btn.textContent = "Grant access";
        btn.addEventListener('click', () => {
          // Request storage access
          rSA();
        });
        document.body.appendChild(btn);
      }
    });

The res.state is always the prompt.
image

Can you help me understand what happened?
My expectation is that, we can access iframe.com's cookies from web.com without using a user gesture. It's fine to call requestStorageAccess API to access the cookies, but I expected that I can always get the state == grant if I have implemented RSW.

Could you kindly suggest. Thank you in advanced!

@wanderview
Copy link
Owner

Sorry, I'm not prepared to debug RWS scenarios. I suggest asking on:

https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/discussions

@lqw1111
Copy link
Author

lqw1111 commented Oct 25, 2023

Sure, I will ask there. Thank you so much for all helps! 🥂

@lqw1111
Copy link
Author

lqw1111 commented Oct 25, 2023

Hi @wanderview ,

One more questions, I'd like to ask is it possible to register the deprecation trial to get unpartitioned storage access back as a short term solution.
https://developer.chrome.com/blog/storage-partitioning-deprecation-trial/

And once you have shipped the new API
https://arichiv.github.io/saa-non-cookie-storage/

We can switch to using the new api as a long term solution.

Is it your recommand solution for us?
And may I know the estimate ship time of the new requestStorageAccess API? And Will there any any time gap between the deprecation trial ended and the rollout of new requestStorageAccess API?

Thank you!

@wanderview
Copy link
Owner

You can simply stop sending the token in your website when you no longer want your deprecation trial behavior.

@bulk88
Copy link

bulk88 commented Nov 11, 2023

So can someone explain how this DOES NOT BREAK 2 decades of 3rd party Single Sign On providers and most of the WWW?

@robertknight robertknight mentioned this issue Apr 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bulk88 @wanderview @lqw1111