Skip to main content

Understanding the requestStorageAccessFor API

Written by Tanmay Patange

Privacy is a hot topic on the web, and user agents often prevent content from accessing non-same site data stored in cookies. This can break embedded content, such as iframes, scripts, or images, which rely on having access to non-same site cookies. To address this issue, the Privacy Community Group has proposed a new API called requestStorageAccessFor. This API would allow top-level sites to request access to cross-site cookies on behalf of embedded origins.

This specification is still in draft status, but it is intended to be merged into the HTML Living Standard. It is not yet a part of the WHATWG Living Standard or the W3C standards track.

How does requestStorageAccessFor API work

The requestStorageAccessFor API allows a document to request access to unpartitioned data, which is client-side storage available to a site if it were loaded in a first-party-site context, on behalf of another origin. In simpler terms, a document can ask another document for access to its data.

Let's consider an example to understand this better. Alex visits https://social.example/ and the page sets a cookie in a first-party-site context. Later, Alex visits https://video.example/, which has an image that loads from https://social.example/profile-image. In this case, the social.example document is in a third-party context, and the cookie set previously might or might not be visible depending on the user agent's storage access policies.

However, a script on 'https://video.example/ could request access on behalf of https://social.example by calling requestStorageAccessFor(requestedOrigin) with requestedOrigin as https://social.example. This way, the cookie set on https://social.example/ could be accessed even when loaded in a third-party context, provided certain conditions are met.

Conditions for Usage

The requestStorageAccessFor(requestedOrigin) method can be invoked on a Document object with requestedOrigin as a parameter. However, there are several conditions that need to be met for the promise to resolve successfully:
  1. The document must be fully active.
  2. The document's node navigable must be a traversable navigable.
  3. The document's origin must not be an opaque origin.
  4. The document's relevant global object must be a secure context.
  5. The requestedOrigin must be a valid URL.
  6. The requestedOrigin must not be an opaque origin.

Conclusion

The requestStorageAccessFor API is a powerful tool that allows developers to access non-same site cookies for embedded resources, which could be particularly useful for cross-site content. However, it's important to note that this API is still in its draft stage and has not yet been adopted into any standard. It provides a promising path forward for developers dealing with issues around cross-site cookies, but as with all new web technologies, it's essential to keep an eye on its development and adoption across the web.
Labels:

Comments

Post a Comment