Closed
Bug 1680844
Opened 3 years ago
Closed 2 years ago
requestStorageAccess grants for cross-site iframes should give out storageAccessAPI permissions
Categories
(Core :: Privacy: Anti-Tracking, enhancement, P2)
Core
Privacy: Anti-Tracking
Tracking
()
RESOLVED
FIXED
97 Branch
Tracking | Status | |
---|---|---|
firefox97 | --- | fixed |
People
(Reporter: johannh, Assigned: bvandersloot)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Safari will renew user interaction if the storage access API was used successfully, see https://github.com/privacycg/storage-access/issues/5
We should also do this to avoid purging "legitimate" 3rd party storage from parties without first party interaction.
To avoid introducing a loophole for redirect trackers obtaining unjustified interaction, we need to ensure that the permissions is only given out if a cross-site frame is granted access, not a same-site frame or a top-level document.
Reporter | ||
Comment 1•3 years ago
|
||
Steve remarked correctly that this should be cross-site not cross-origin to avoid gaming the thing with subdomains.
Summary: requestStorageAccess grants for cross-origin iframes should give out storageAccessAPI permissions → requestStorageAccess grants for cross-site iframes should give out storageAccessAPI permissions
Reporter | ||
Updated•3 years ago
|
Blocks: storage-access-experience
Comment 2•3 years ago
•
|
||
The definition of "storageAccessAPI permission:"
- Has the user interacted with the website?
- storageAccessAPI permissions record every site that the user interacted with and thus mirror history quite closely.
The variable name should be: hasUserEverInteractedWithSiteInFirstPartyContext.
Assignee | ||
Comment 3•2 years ago
|
||
- Add observation of user interaction (for purpose of handing out storageAccessAPI permission) during grants of requestStorageAccess
- This will not observe user interaction when a page requests the permission when they already have it, by design
- This should also not observe user interaction when the grant is due to a heuristic.
- Add tests that verify adding user interaction on grant and autogrant. Plus one more test to verify that we do not add user interaction on deny
Depends on D132024
Updated•2 years ago
|
Assignee: nobody → bvandersloot
Status: NEW → ASSIGNED
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fdf5c7623701 requestStorageAccess grants for cross-site iframes should give out storageAccessAPI permissions, r=anti-tracking-reviewers,pbz
Comment 5•2 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox97:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•