1836792 - Document::RequestStorageAccess should use a new site-site scoped permission

Status: RESOLVED FIXED

(Core :: Privacy: Anti-Tracking, enhancement, P2)

Description

[Benjamin VanderSloot [:bvandersloot]]

This permission should be similar to the 3rdPartyStorage^ permission, but have slightly different semantics. We need to keep around the old one for requestStorageAccessFor.

• the thing after the "^" should be a site, not origin
• it only applies to iframes, not the top-level

We should fold this into the existing StorageAccessPermissionRequest and StorageAccessPermissionPrompt using request options and handling any ugliness there. 3rdPartyStorage^ permission is strictly stronger, so we can treat that like having both permissions. This can be done inside of those classes' behavior.

This also requires a little extension of the GeckoView to not break requestStorageAccess calls in Android.

Alternative to Bug 1835895, Bug 1835896, and Bug 1835908

Comment 1

[Benjamin VanderSloot [:bvandersloot]]

Attachment: Bug 1836792, part 1 - Add new site-pair-scoped permission 3rdPartyFrameStorage, r=#anti-tracking!

Comment 2

[Benjamin VanderSloot [:bvandersloot]]

Attachment: Bug 1836792, part 2 - Make changes to StorageAccessPermission{Request,Prompt} to allow requesting 3rdPartyFrameStorage, r=#anti-tracking!

Depends on D180215

Comment 3

[Benjamin VanderSloot [:bvandersloot]]

Attachment: Bug 1836792, part 3 - Adopt permissions UI to just show the same old prompt for 3rdPartyFrameAccess requests, r=#anti-tracking!

Depends on D180216

Comment 4

[Benjamin VanderSloot [:bvandersloot]]

Attachment: Bug 1836792, part 4 - Move RequestStorageAccess to frame-only permission - r=#anti-tracking!

Depends on D180217

Comment 5

[Benjamin VanderSloot [:bvandersloot]]

Attachment: Bug 1836792, part 5 - Stop the use of 3rdPartyFrameStorage permissions beyond Nightly - r=#anti-tracking!

Depends on D180218

Comment 6

[Pulsebot]

Pushed by bvandersloot@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/10c928636a22
part 1 - Add new site-pair-scoped permission 3rdPartyFrameStorage, r=anti-tracking-reviewers,timhuang
https://hg.mozilla.org/integration/autoland/rev/51493ddc8b4f
part 2 - Make changes to StorageAccessPermission{Request,Prompt} to allow requesting 3rdPartyFrameStorage, r=anti-tracking-reviewers,timhuang,pbz
https://hg.mozilla.org/integration/autoland/rev/683d1cdc0e5f
part 3 - Adopt permissions UI to just show the same old prompt for 3rdPartyFrameAccess requests, r=anti-tracking-reviewers,timhuang,pbz
https://hg.mozilla.org/integration/autoland/rev/79cbd089410c
part 4 - Move RequestStorageAccess to frame-only permission - r=anti-tracking-reviewers,timhuang
https://hg.mozilla.org/integration/autoland/rev/f7e8a47d6ca5
part 5 - Stop the use of 3rdPartyFrameStorage permissions beyond Nightly - r=anti-tracking-reviewers,timhuang

Comment 7

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/10c928636a22
https://hg.mozilla.org/mozilla-central/rev/51493ddc8b4f
https://hg.mozilla.org/mozilla-central/rev/683d1cdc0e5f
https://hg.mozilla.org/mozilla-central/rev/79cbd089410c
https://hg.mozilla.org/mozilla-central/rev/f7e8a47d6ca5