A way to define an origin as safe, to disable partitioning

[Banou26]

If a website uses iframes that are not sameorigin but still controlled by the same authority, wouldn't it make sense to have a way to disable storage partitioning ?
Not having any way to disable it forces you to ask for user gesture on the iframe for that iframe to have access to APIs like a service worker.

It would be the same kind of way than CSP or CORS, defining explicitly the domains that the embedder and the embedded accepts.

I've not seen anything regarding a way to disable partitioning after looking through the issues / docs.

[annevk]

Why can't they be same-origin or at the very least same-site if they are under the control of the same authority?

[Banou26]

There can be various reasons.

The easiest one that comes to mind is subsediaries, without giving any specific names, some streaming platforms with multiple different front products with different domains hosts their video player under one domain that they embed with iframes, which makes use of service workers.

Another easy one that comes to mind are language coding playgrounds, almost if not all of them uses a different randomly generated non sameorigin sub-domains to host the render/host the result of the code sandbox and also make use of service workers or other affected partitionned APIs.

There's an actually decent amount of websites out there that hosts iframes in non same-origin domains if you search for them.

For my case in specific, I host little apps under a different domain because i want to take advantage of OOPIF(Out of process Iframes), so that if the underlying app crashes / has an infinite loop, my own website doesn't crash with the iframe'd app, in addition of other things.

Now with the storage partitioning getting implemented, i've started having a few issues with the way my apps are loaded, because they need a service worker to redirect/modify specific asset URLs.

The only way for me to fix this with the current partitioning implementation:

• Ask for the user to click on the iframe before the app can render itself, to get the permission to register a service worker so that i can load the WASM file that is extracted from a dynamic package file. This is a sub-optimal experience

• Trick the browser by rendering the iframe on top of my website and clickjack a first user gesture to get the permission to register the service worker before they actually go on the app's page. (I think this would work but i've not done any POC of it yet)

All in all, having a way to explicitly set domains as safe would be a good feature for partitioning i think.
I'm not really sure how would the end result look like API wise but i just wanted to propose this idea so that websites like mine have a minimal difficulties working around partitioning.

I love the idea of partitioning, it's great for privacy, but the cost right now is a little high for more edge case websites i think if we don't have a workaround.

[johannhof]

You're looking for https://github.com/privacycg/first-party-sets, I think. Feel free to file an issue on that if you have any feedback.

When you say "permission", are you referring to document.requestStorageAccess?

[Banou26]

Yes, by permission i meant document.requestStorageAccess, since this is the one call that allows you to register back service workers but need a user-gesture to be able to call it.

Thanks for the link, i did not know about it! It looks like what i wanted, i'll take a more in-depth look.

[Banou26]

Coming back on to this, I've had to deal back with storage partitioning on my app, tried using first party sets to fix the issue, but they don't actually seem to solve anything for me.

I have this case where my sandbox domain, https://og6257vsr83j75x9icng.npm.fkn.sdbx.app/ contains an app, which i also want accessible on https://torrent.fkn.app/.

I want the torrent.fkn.app one to be an alias for the sandbox, so what i did is simply open a full page width iframe on it, directing to the sandbox.

This gets partitionned, since it's considered third party so I've tried setting up a button for document.requestStorageAccess AND document.requestStorageAccessFor(from the alias domain) which did not end up with giving access to the unpartitionned sandbox's storage.

I've also ended up trying the first party sets way by setting some flags on my chrome to define the rules(I've tried associated sites, as I assume it'd give out the most permissions to see if it would work to start off)

I've had this popup come in on chrome with this message which i think is a bit weird considering it's a full width iframe & contains user gestures.

Might want to reconsider the popup's message, this make it sound like my sandbox app, which already to start off has an unfriendly domain name, which is why i want to alias it, is trying to do shady things like steal your data or something...

Even when allowing the embedded content by clicking on Allow, it still hasn't given out unpartitionned indexedDB and OPFS access to the true origin which is og6257vsr83j75x9icng.npm.fkn.sdbx.app.

After looking more into it It seems like document.requestStorageAccess is more catered towards accessing cookies than doing anything else, Am i wrong?

I've also seen mentions to the Privacy Sandbox's SharedStorage API, but this only seem to be DB like apis, I haven't seen any mentions to an OPFS like api, which I need for my applications as they are highly I/O performance sensitive.

Is there anything defined to give unpartitionned access to file system apis like the origin private file system & indexedDB that i could look into?