[w3ctag/design-reviews] Early design review: Storage Access Headers (Issue #982) from Chris Fredrickson on 2024-08-13 (public-webapps-github@w3.org from August 2024)

From: Chris Fredrickson <notifications@github.com>
Date: Tue, 13 Aug 2024 07:57:55 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/982@github.com>

こんにちは TAG-さん!

I'm requesting a TAG review of [Storage Access Headers](https://github.com/cfredric/storage-access-headers).

The cross-browser [Storage Access API](https://github.com/privacycg/storage-access) supports "authenticated embeds" by providing a way to opt in to accessing unpartitioned cookies in an embedded context. The API currently requires an explicit call to the `document.requestStorageAccess` JavaScript API, even if the user has previously granted storage-access permission, as a CSRF protection. This means that authenticated embeds which do not have an iframe presence cannot benefit from the Storage Access API, even after the user has granted permission. This proposal, Storage Access Headers, creates new HTTP request and response headers to enable authenticated embeds with storage-access permission to access third-party cookies, even without an iframe.

  - Explainer: https://github.com/cfredric/storage-access-headers/blob/main/README.md
  - User research: N/A
  - Security and Privacy self-review: https://github.com/cfredric/storage-access-headers/blob/main/security_privacy_self_review.md
  - GitHub repo: https://github.com/cfredric/storage-access-headers
  - Primary contacts:
      -  Chris Fredrickson (cfredric@, Google Chrome, primary author)
      - Johann Hofmann (johannhof@, Google Chrome, author)
  - Organization/project driving the design: Google Chrome
  - External status/issue trackers for this feature: https://chromestatus.com/feature/6146353156849664

Further details:

  - [X] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - The group where the incubation/design work on this is being done (or is intended to be done in the future): PrivacyCG
  - The group where standardization of this work is intended to be done: WHATWG
  - Existing major pieces of multi-implementer review or discussion of this design:
    - Some cross-browser discussion on https://github.com/privacycg/proposals/issues/45, https://github.com/privacycg/meetings/blob/main/2023/telcons/12-14-minutes.md, https://github.com/privacycg/meetings/blob/main/2023/tpac/minutes.md
  - Major unresolved issues with or opposition to this design: None so far
  - This work is being funded by: Google

You should also know that…

  - We are working with PrivacyCG chairs to adopt this proposal as a work item. After that, we will request formal positions from other browser vendors.
  - We have not yet written a formal spec, but we will write one prior to requesting TAG spec review.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/982
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/982@github.com>

Received on Tuesday, 13 August 2024 14:57:59 UTC