-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the Permissions API (closes #121, #32) #138
Conversation
How would this not expose "storage-access" to |
I had hoped to tackle this problem as a separate follow-up but yeah, I can make a PR for permissions to add support for that and then we can add it to this PR. |
@annevk if you're okay with this PR I think it would be good to merge given that the Permissions changes merged. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mostly seems okay, but there's a couple things that are somewhat questionable which I tried to call out in inline comments.
1. [=Queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}. | ||
|
||
ISSUE: [since this is UA-defined, does it make sense to follow-up separately with a user prompt?](https://github.com/privacycg/storage-access/pull/24#discussion_r408784492) | ||
1. If |doc|'s {{Window}} object has [=transient activation=], [=consume user activation=] with it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be consumed as part of the task in the next step. (Although maybe we should also point to the open issue regarding this.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, let's do this separately from this PR, it's not really related.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you file an issue for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, what I meant was that #141 is moving consumption anyway and that we should do that in that PR. I'll add a note there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd just like to note on the record that there are still many issues with this Permissions integration, which actually makes it hard to tell if any of them are critical in some manner.
Ok, can we list them out for a moment (also to figure out if this PR needs to address any of them)? I'm aware of #144 and #143 (missing WPTs for observing permissions). What else were you thinking of? |
The things I notice are mainly editorial, but given there's many it makes me worried I'm overlooking other things. It's not just this PR though.
I should make time to do a pass at one point. Looking at the PR again I wonder if we were firmly settled on using origin for the embedded website? |
So, I think we said that we could use origin for now but note that user agents have the liberty to auto-grant requests that have existing permissions with same-site embedees. Thinking about this now I think I actually prefer the (site, site) boundary now, as that would allow observers from adjacent same-site iframes to see the permission grant. Depending on what @bvandersloot-mozilla thinks we could move to (site, site), but maybe we should do this in a follow-up to have the decision recorded explicitly? |
I'm okay with setting (site, site) now, given the other discussions on preserving origin boundaries for security. |
Ok, filed #147 for (site, site) and happy to follow-up with that. |
I filed https://bugs.chromium.org/p/chromium/issues/detail?id=1401266 for Chromium supporting and WPTesting the Permissions API for storage-access. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm okay with merging this, modulo follow-ups and renaming of the permission key tuple items.
1. [=Queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}. | ||
|
||
ISSUE: [since this is UA-defined, does it make sense to follow-up separately with a user prompt?](https://github.com/privacycg/storage-access/pull/24#discussion_r408784492) | ||
1. If |doc|'s {{Window}} object has [=transient activation=], [=consume user activation=] with it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you file an issue for this?
1. Set |status|'s {{PermissionStatus/state}} to |permissionDesc|'s [=permission state=]. | ||
1. If |status|'s {{PermissionStatus/state}} is [=permission/denied=], set |status|'s {{PermissionStatus/state}} to [=permission/prompt=]. | ||
|
||
Note: The "denied" permission state is not revealed to avoid exposing the user's decision to developers. This is done to prevent retaliation against the user and repeated prompting to the detriment of the user experience. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's have a follow-up issue on this as we will to some extent expose denied to websites anyway (but they won't know whether it's persisted).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You were thinking of #149, right?
(I seem to not have sufficient access to unresolve an issue. It's the first of the three threads above.) |
Co-authored-by: Anne van Kesteren <[email protected]>
54d4e09
to
6a6a93a
Compare
I'll merge this now but will leave the follow-up bits unresolved in case you had something else in mind. :) |
This is an attempt to migrate to a "per-frame" model, as discussed in #122. This is built on top of #138 as a starting point. The approach is to define a flag that lives on environment, and is set by document.requestStorageAccess and read by document.hasStorageAccess. In order to propagate storage access during self-initiated, same-origin navigations, we also add a flag to the source snapshot params used during create navigation params by fetching, and conditionally copy the sourceDocument's relevant settings object's flag over to the new environment that will be created. This should let us achieve the benefits of the BrowsingContext approach discussed in #122, without having to add and clear state in BrowsingContext. Co-authored-by: Johann Hofmann <[email protected]>
This is building on top of w3c/permissions#390 to integrate SAA with permissions. It's deleting a lot of old manual state management but doesn't get rid of the (global) storage access map altogether, since that is done in the per-frame change being worked on by @cfredric.
This is a bit WIP just by virtue of the other change not having merged yet. I removed some of the references to the other spec to avoid the build from breaking.
test_driver.set_permission
in tests. We could follow up with tests that confirm that thestorage-access
feature is exposed via permissions APIs but that may need a separate spec change.Preview | Diff