Closed
Bug 1680844
Opened 3 years ago
Closed 2 years ago
requestStorageAccess grants for cross-site iframes should give out storageAccessAPI permissions
Categories
(Core :: Privacy: Anti-Tracking, enhancement, P2)
Core
Privacy: Anti-Tracking
Tracking
()
RESOLVED
FIXED
97 Branch
| Tracking | Status | |
|---|---|---|
| firefox97 | --- | fixed |
People
(Reporter: johannh, Assigned: bvandersloot)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Safari will renew user interaction if the storage access API was used successfully, see https://github.com/privacycg/storage-access/issues/5
We should also do this to avoid purging "legitimate" 3rd party storage from parties without first party interaction.
To avoid introducing a loophole for redirect trackers obtaining unjustified interaction, we need to ensure that the permissions is only given out if a cross-site frame is granted access, not a same-site frame or a top-level document.
|
Reporter | |
Comment 1•3 years ago
|
||
Steve remarked correctly that this should be cross-site not cross-origin to avoid gaming the thing with subdomains.
Summary: requestStorageAccess grants for cross-origin iframes should give out storageAccessAPI permissions → requestStorageAccess grants for cross-site iframes should give out storageAccessAPI permissions
|
|
Reporter | |
Updated•3 years ago
|
Blocks: storage-access-experience
|
||
Comment 2•3 years ago
•
|
||
The definition of "storageAccessAPI permission:"
- Has the user interacted with the website?
- storageAccessAPI permissions record every site that the user interacted with and thus mirror history quite closely.
The variable name should be: hasUserEverInteractedWithSiteInFirstPartyContext.
|
Assignee | |
Comment 3•2 years ago
|
||
- Add observation of user interaction (for purpose of handing out storageAccessAPI permission) during grants of requestStorageAccess
- This will not observe user interaction when a page requests the permission when they already have it, by design
- This should also not observe user interaction when the grant is due to a heuristic.
- Add tests that verify adding user interaction on grant and autogrant. Plus one more test to verify that we do not add user interaction on deny
Depends on D132024
|
||
Updated•2 years ago
|
Assignee: nobody → bvandersloot
Status: NEW → ASSIGNED
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fdf5c7623701 requestStorageAccess grants for cross-site iframes should give out storageAccessAPI permissions, r=anti-tracking-reviewers,pbz
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox97:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•