Re: [w3ctag/design-reviews] requestStorageAccessForOrigin (Issue #808) from Hadley Beeman on 2023-02-15 (public-webapps-github@w3.org from February 2023)

From: Hadley Beeman <notifications@github.com>
Date: Wed, 15 Feb 2023 08:23:58 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/808/1431636019@github.com>

Hi all! We have done an initial review, and have a few questions to begin the conversation:

1. What use cases are you explicitly designing for? Can you elaborate on "legacy use cases"? Why is just using iframes and the Storage Access API insufficient? 
2. What abuse scenarios have you considered, and what are the mitigations for them? The S&P questionnaire says, "While this functionality comes with a risk of abuse by third parties for tracking purposes, it is an explicit goal of the API and a key to its design to not undermine the gains of cross-site cookie deprecation." -- how does that work?
3. We see "Permission grants for storage access are double-keyed" in the [S&P questionnaire](https://github.com/privacycg/requestStorageAccessForOrigin/blob/main/tag-security-questionnaire.md), but this isn't in the spec - is there something to add here?
4. Why do images need access to storage? (The explainer alludes to uses for cookies, images and scripts).

We'd be grateful for your thoughts. Thanks!

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/808#issuecomment-1431636019
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/808/1431636019@github.com>

Received on Wednesday, 15 February 2023 16:24:10 UTC