-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storage access activation reusability #22
base: main
Are you sure you want to change the base?
Conversation
This change amends the explainer to support activation "stickiness" which tells the user agent to make the activation reusable for the URLs specified in the header, for the lifetime of the document.
Co-authored-by: Chris Fredrickson <cfredric@users.noreply.github.com>
Co-authored-by: Chris Fredrickson <cfredric@users.noreply.github.com>
Co-authored-by: Chris Fredrickson <cfredric@users.noreply.github.com>
@@ -179,6 +205,19 @@ The principal way that the Storage Access API addresses these security concerns | |||
|
|||
This proposal uses a new forbidden name for the `Sec-Fetch-Storage-Access` header to prevent programmatic modification of the header value. This is primarily for reasons of coherence, rather than security, but there is a security reason to make this choice. If a script could modify the value of the header, it could lie to a server about the state of the `storage-access` permission in the requesting context and indicate that the state is `active`, even if the requesting context has not opted in to using the permission grant. This could mislead the server into inferring that the request context is more trusted/safe than it actually is (e.g., perhaps the requesting context has intentionally _not_ opted into accessing its cross-site cookies because it cannot conclude it's safe to do so). This could lead the server to make different decisions than it would have if it had received the correct header value (`none` or `inactive`). Thus the value of this header ought to be trustworthy, so it ought to be up to the user agent to set it. | |||
|
|||
### `reuse-for` | |||
|
|||
A `retry` header with `reuse-for` enables the embedding document to send subsequent requests to the server with unpartitioned cookies without going through the _`retry`_ flow again. Developers who enable the reuse of storage access activation should be aware of the associated risks, such as cross-site request forgery (CSRF) and [cross-site leaks](https://xsleaks.dev/), and only allowlist URLs which expect credentialed cross-site requests and handle them safely. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A `retry` header with `reuse-for` enables the embedding document to send subsequent requests to the server with unpartitioned cookies without going through the _`retry`_ flow again. Developers who enable the reuse of storage access activation should be aware of the associated risks, such as cross-site request forgery (CSRF) and [cross-site leaks](https://xsleaks.dev/), and only allowlist URLs which expect credentialed cross-site requests and handle them safely. | |
A `retry` header with `reuse-for` enables the embedded document to send subsequent requests to the server with unpartitioned cookies without going through the _`retry`_ flow again. Developers who enable the reuse of storage access activation should be aware of the associated risks, such as cross-site request forgery (CSRF) and [cross-site leaks](https://xsleaks.dev/), and only allowlist URLs which expect credentialed cross-site requests and handle them safely. |
Do you mean "embedded" here? I read "embedding document" as referring to the top-level document (or something other than the innermost iframe, anyway). (Same comment for "embedding" below.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"embed" is probably not a good word here because with retry
headers it's really the embedding document that's sending the request (e.g. to get an image that's embedded in the document) but I see how it can be confusing. Should I just remove "embedding" entirely to avoid confusion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe "current document", like you suggested elsewhere?
Co-authored-by: Chris Fredrickson <cfredric@users.noreply.github.com>
Co-authored-by: Chris Fredrickson <cfredric@users.noreply.github.com>
Co-authored-by: Chris Fredrickson <cfredric@users.noreply.github.com>
This change extends the
Activate-Storage-Access
header with an optionalreuse-for
parameter, which tells the user agent to make the activation reusable for the URLs specified in the header, for the lifetime of the document.