[w3ctag/design-reviews] Spec review for Storage Access API (Issue #807) from Johann Hofmann on 2023-01-18 (public-webapps-github@w3.org from January 2023)

From: Johann Hofmann <notifications@github.com>
Date: Wed, 18 Jan 2023 11:39:54 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/807@github.com>
TAG auch!

I'm requesting a TAG review of the Storage Access API.

User Agents sometimes prevent content inside certain iframes from accessing data stored in client-side storage mechanisms like cookies. This can break embedded content which relies on having access to client-side storage.

The Storage Access API enables content inside iframes to request and be granted access to their client-side storage, so that embedded content which relies on having access to client-side storage can work in such User Agents.

  - Explainer¹ (minimally containing user needs and example code): https://github.com/privacycg/storage-access#readme 
  - Specification URL: https://privacycg.github.io/storage-access/ 
  - Tests: https://wpt.fyi/results/storage-access-api?label=experimental&label=master&aligned 
  - User research:
  - Security and Privacy self-review²: https://github.com/privacycg/storage-access/blob/main/tag-security-questionnaire.md 
  - GitHub repo (if you prefer feedback filed there): https://github.com/privacycg/storage-access 
  - Primary contacts (and their relationship to the specification):
      - Johann Hofmann (@johannhof), Google Chrome, Editor
      - Anne Van Kesteren (@annevk), Apple WebKit, Editor
      - Benjamin VanderSloot, (@bvandersloot-mozilla), Mozilla Firefox, Editor
  - Organization(s)/project(s) driving the specification: Google, Apple, Mozilla
  - Key pieces of existing multi-stakeholder review or discussion of this specification: 
     - https://github.com/whatwg/html/issues/3338 (mostly for historical context, may not fully reflect current views of participants or their organizations)
     - https://github.com/privacycg/proposals/issues/2

  - External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5612590694662144 

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Relevant time constraints or deadlines: We are looking to send an intent to ship in Chrome within the next few upcoming releases (M111 - M113)
  - The group where the work on this specification is currently being done: Privacy CG
  - The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): WHATWG (Fetch/HTML)
  - Major unresolved issues with or opposition to this specification:

With the changes I mention below, we have been able to resolve most points of contention between implementers. There remains work and open issues that [the editors consider critical to resolve before we attempt to standardize](https://github.com/privacycg/storage-access/issues?q=is%3Aissue+is%3Aopen+label%3A%22resolve+before+graduation%22). None of it should present fundamental concerns with the specification itself.

There is still some implementation-defined behavior in the prompt strategy of different browsers (e.g. prompts vs. heuristics or list-based grants), but the spec makes an effort to preserve interoperability despite these differences.

  - This work is being funded by: Google, Apple, Mozilla

You should also know that we have recently undergone a [major design revision](https://github.com/privacycg/storage-access/issues/122) to address [security concerns](https://github.com/privacycg/storage-access/issues/113), [integrate with the permissions API](https://github.com/privacycg/storage-access/pull/138) and better align the API behavior between implementations, with fewer pieces of unspecified or implementation-defined behavior remaining.

We’re satisfied with the recent changes but because of their scope they may have left some rough edges and follow-up work in the spec.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our GitHub repo for **each point of feedback**

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/807

You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/807@github.com>
Received on Wednesday, 18 January 2023 19:40:06 UTC