193277 2019-01-09 03:17:25 -0800 Storage Access API doesn't appear to work 2022-02-12 23:24:59 -0800 1 1 1 Unclassified WebKit WebCore Misc. Safari 12 Mac macOS 10.13 RESOLVED INVALID InRadar P2 Blocker --- 1 walking_fishy wilander beidson bfulgham cdumez gabriel othree shahar sihui_liu stefan webkit-bug-importer wilander xors.nn youennf oldest_to_newest 1492909 0 358689 walking_fishy 2019-01-09 03:17:25 -0800 Created attachment 358689 Example code According to https://webkit.org/blog/8124/introducing-storage-access-api/ and https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess there should be two functions: * document.hasStorageAccess(); * document.requestStorageAccess(); despite hasStorageAccess() returning true, and the promise requestStorageAccess() resolving. An iframe (siteB) is still unable to set and get cookies. The iframe is sandboxed with the following attributes: <iframe src = "http://siteB.com" sandbox="allow-storage-access-by-user-activation allow-scripts allow-same-origin"></iframe> I have attached my example code as a zip. 1493455 1 webkit-bug-importer 2019-01-10 14:11:29 -0800 <rdar://problem/47190019> 1539217 2 gabriel 2019-05-25 11:28:26 -0700 This still seems to be happening on Safari 12.1.1 on macOS 10.14.5. The problem seems to goes away if the user first directly accesses "siteB" outside of an iframe. Is this intended behavior? I was under the impression that the purpose of the Storage Access API was to allow third-party iframes to access cookies as long as the user interacts with the document inside the iframe and as long as the iframe requests permission. Requiring the user to have previously accessed the site inside the iframe hurts my use case. 1596819 3 othree 2019-12-09 07:38:21 -0800 (In reply to Gabe from comment #2) > This still seems to be happening on Safari 12.1.1 on macOS 10.14.5. > > The problem seems to goes away if the user first directly accesses "siteB" > outside of an iframe. > > Is this intended behavior? I was under the impression that the purpose of > the Storage Access API was to allow third-party iframes to access cookies as > long as the user interacts with the document inside the iframe and as long > as the iframe requests permission. Requiring the user to have previously > accessed the site inside the iframe hurts my use case. Hi Gabe. What do you mean "The problem seems to goes away if the user first directly accesses "siteB" outside of an iframe." Do you able to read and write the cookie in the iframe if you touched the domain outside? I am using Safari 13 but I can't reproduce this behavior. I can only get read only access to the access to the cookie. It must write in a first party role (direct navigate or open a new window). 1621058 4 xors.nn 2020-02-19 20:46:36 -0800 The same for me (MacOS Catalina Version 10.15.3, Safari Version 13.0.5 (15608.5.11)) In the page in an Iframe running "hasStorageAccess" it resolves to false, then I run "requestStorageAccess" after it resolves "hasStorageAccess" resolves to true. Then trying to set some cookie (both by javascript and by the backend call) the values of the cookies are not stored anywhere (nothing returns when accessing document.cookie) 1621060 5 xors.nn 2020-02-19 20:48:51 -0800 One addition to my previous comment, everything described there works fine on Firefox. 1655990 6 shahar 2020-05-26 02:57:34 -0700 +1 1672324 7 wilander 2020-07-16 17:48:14 -0700 Hi all! I've been working on some documentation for the Storage Access API. See if this works for you (still a draft). # How To Use the Storage Access API We have received requests for a guide on how to successfully use the Storage Access API which enables embedded third-party content to get cookie access under Intelligent Tracking Prevention. We refer to such embedded content as authenticated embeds since the purpose of getting cookie access typically is to authenticate the user. For the purposes of this guide we will use the domains social.example for the embedded content in need of cookie access and news.example as the website embedding social.example. ## Third-Party Iframes Call the API The Storage Access API is called from inside cross-site, or third-party, iframes. You don’t have to call the API if your website is first party and first party websites cannot call the API on behalf of third-parties. ## First Meet and Greet the User as First Party If you want to make use of the Storage Access API as a third-party, you first need to take these steps as a first party: 1. Take the user to your domain as first party. This is your website showing itself and giving the user a chance to recognize your brand and domain name. Recognition is important since the prompt for storage access features your embedded iframe’s domain. In our example, this is taking the user to a webpage with social.example in the URL bar, either though a navigation or a popup. 2. Have the user interact (tap, click, or use the keyboard) with your website as first party. This tells the browser that the user has actually seen and used the site. *Note*: Navigating to and from your website in a redirect without user interaction does not count. Formally, WebKit’s requirement is user interaction as first party the last 30 days of browser use. Being granted storage access through the Storage Access API counts as such user interaction. In our example, this is having the user tap/click on the webpage with social.example in the URL bar. 3. Set cookies when you are first-party. This establishes the website as "visited" for the purposes of the underlying cookie policy. Third parties without cookies cannot set cookies in Safari and never have since Safari 1.0 in 2003. This means you cannot use the Storage Access API as third-party until you have set at least one cookie as first party. In our example, this is setting cookies for social.example with social.example in the URL bar. The above requirements are there to make sure the sometimes 50-100 embedded third-parties on a single webpage cannot all prompt the user for storage access, only the ones the user has visited and interacted with can. ## Now Use the Storage Access API as Third Party Once you have had the user interact with your website as first party and have set cookies as first party, you are ready to make use of the Storage Access API. 1. Make your cross-site iframe call document.hasStorageAccess() as soon as it's rendered to check your status. *Note*: Don't call this function upon a user gesture since it's asynchronous and will consume the gesture, making a subsequent call to document.requestStorageAccess() fail because it's not called when processing a user gesture. In our example this is social.example's iframe. 2. If document.hasStorageAccess() returns false, your iframe doesn't have storage access. Now set an event handler on elements that represent UI which requires storage access and make the event handler call document.requestStorageAccess() on a tap or click. This is the API that requires a user gesture. In our example this is social.example's iframe. 3. Render the page with your cross-site iframe. Tap or click on an element with an event handler in the iframe. In our example this is rendering a page from news.example with the social.example's iframe and clicking on an element in the social.example iframe's document. 4. If the user has not yet opted in to storage access for social.example under news.example there will now be a prompt. Choose "Don't Allow" in the prompt. *Tip*: Don't choose "Allow" yet because it'll be remembered and you'll have to delete browser history to reset it. 5. Test the behavior for the "Don't Allow" case. Do this until you’re happy with how your code handles it. 6. Now tap or click the iframe again and this time choose "Allow" in the prompt. 7. Test the behavior for the "Allow" case. 358689 2019-01-09 03:17:25 -0800 2019-01-09 03:17:25 -0800 Example code Playpen.zip application/zip 5437 walking_fishy UEsDBAoAAAAAABNQKU4AAAAAAAAAAAAAAAAIABAAUGxheXBlbi9VWAwAXMY1XEbGNVx6nY0jUEsD BBQACAAIABNQKU4AAAAAAAAAAAAAAAARABAAUGxheXBlbi8uRFNfU3RvcmVVWAwAXMY1XEbGNVx6 nY0j7Zg7DsIwEERnjQtLNC4p3XAAbmBFyQm4AAVXoPfRIdoRshRSUCWCeZL1Vop/aRxPANjwuF+A DCDBjTM+ktgWhK42ziGEEEKIfWOudNx2G0KIHTKfD4WudHMbnwc6dmMyXehKN7exX6AjnehMF7rS zc1Dyxg+jCsbE4oxhVih61evLMTfcHDl+fs/YTX/CyF+GIvjdRzwDgTLDq926+qG9UtA8J+Fp25s oSvd3LoICLEVT1BLBwhqAIhtsgAAAAQYAABQSwMECgAAAAAAGVopTgAAAAAAAAAAAAAAAAkAEABf X01BQ09TWC9VWAwAIdg1XCHYNVx6nY0jUEsDBAoAAAAAABlaKU4AAAAAAAAAAAAAAAARABAAX19N QUNPU1gvUGxheXBlbi9VWAwAIdg1XCHYNVx6nY0jUEsDBBQACAAIABNQKU4AAAAAAAAAAAAAAAAc ABAAX19NQUNPU1gvUGxheXBlbi8uXy5EU19TdG9yZVVYDABcxjVcRsY1XHqdjSNjYBVjZ2BiYPBN TFbwD1aIUIACkBgDJxAbAbEbEIP4FUDMAFchwIADOIaEBEGZFTBd6AAAUEsHCPQZ17w0AAAAeAAA AFBLAwQKAAAAAABBXyJOAAAAAAAAAAAAAAAAEQAQAFBsYXlwZW4vU2t5QmluZ28vVVgMAFzGNVxJ pyxcep2NI1BLAwQUAAgACAA0SylOAAAAAAAAAAAAAAAAIQAQAFBsYXlwZW4vU2t5QmluZ28vbG9h ZF9zaW1wbGUuaHRtbFVYDABcxjVcE741XHqdjSN9VMGO2jAQve9XjHIhKZBA1fZQEqTudg+VKlUV 9FRVyDgmsXDsyHZYUHf/fcdJ0CYB1gfH47x5M+PncZzbQizvAEecM5K2y6iz3qr01Cwb1Hz5U5GU pbDan+Cey0whfN5B8J0mBQOjKSTg5daWX6OoUHR/YBkxIVVFJJBhY3hRCuaBITLdqmPiESHU09RY pUnGpoRSZsx0e5pWhmk0LT8Qy5WEFkc1L605WxhyqjTPuPSWcdTk0EmqQb9tuLGrJK0JDbMPSu05 8yV6TeBARIWflJxMAP97Pm4ciAZ2LLlmxlXoLS4QfAf+Le8zQ0osQ3fJnuA7Lv3gksYNBwsxwTUv mF8bWWsEMG6iwAf4+AmnL7PzNJ/NZsENwk7mi7OReMhVk1v1Z/2wshp1vZbRy8VOqmhVMGlRV3eC riKn/hi8mtSvzxKen/GcXMLn6GMXvSQ2T6LB+b3cXRcp64l0Sxf37/F3L4vLKhyQEgQNkg9NKbj1 R4vRldJ3SrtqNHB0nC3wEyNJKJjMbI7mePye2q4XKPnL/10X5SnngoFPQ5oT/c36swCSBEYwChrP 0FRb06gyn6DZRL2hsLt9NOQyZcdfO785kZoPWTWzlZY9wgbQUr5Lfql+SycrIYYqDqG9jbeO837c rzZCub6dgKeOfK32TG5KolEX3Po8yKNnUCWNEtgSWlWl77VOA48zCIP4XntL61uJ7Nm1PIad04vy KNNuY8RR92WJo+a1xBexfldfAVBLBwiG6sa1MAIAAF8FAABQSwMECgAAAAAAGVopTgAAAAAAAAAA AAAAABoAEABfX01BQ09TWC9QbGF5cGVuL1NreUJpbmdvL1VYDAAh2DVcIdg1XHqdjSNQSwMEFAAI AAgANEspTgAAAAAAAAAAAAAAACwAEABfX01BQ09TWC9QbGF5cGVuL1NreUJpbmdvLy5fbG9hZF9z aW1wbGUuaHRtbFVYDABcxjVcE741XHqdjSNjYBVjZ2BiYPBNTFbwD1aIUIACkBgDJxAbAfEaIAbx 7zEQBRxDQoKgTJCOGUDshqaEESEumpyfq5dYUJCTqldYmliUmFeSmZfKUKhvYGBgaG2abGyalGhq YO2en5+ekxpTYWTgnFGUn5tqbeTiaGHsauym62hg6KprYmjhpOvkYmqq6+Robubi7GboaObkxAAA UEsHCG+sBW+RAAAA3gAAAFBLAwQUAAgACABBXyJOAAAAAAAAAAAAAAAAGwAQAF9fTUFDT1NYL1Bs YXlwZW4vLl9Ta3lCaW5nb1VYDABcxjVcSacsXHqdjSNjYBVjZ2BiYPBNTFbwD1aIUIACkBgDJxAb AfEaIAbx7zEQBRxDQoKgTJCOGUDshqaEESEumpyfq5dYUJCTqldYmliUmFeSmZfKUKhvYGBgaG2a bGyalGhqYO2en5+ekxpTYWTgnFGUn5tqbeTiaGHsauym62hg6KprYmjhpOvkYmqq6+Robubi7Gbo aObkxAAAUEsHCG+sBW+RAAAA3gAAAFBLAwQKAAAAAAAYUClOAAAAAAAAAAAAAAAAEQAQAFBsYXlw ZW4vU2t5VmVnYXMvVVgMAFzGNVxPxjVcep2NI1BLAwQUAAgACAAaUClOAAAAAAAAAAAAAAAAGgAQ AFBsYXlwZW4vU2t5VmVnYXMvLkRTX1N0b3JlVVgMAFzGNVxUxjVcep2NI+2YOw7CMBBEZ40LSzQu Kd1wAG5gRckJuAAFV6D30SHaEbIUUlAlgnmS9VaKf2kcTwDY8LhfgAwgwY0zPpLYFoSuNs4hhBBC iH1jrnTcdhtCiB0ynw+FrnRzG58HOnZjMl3oSje3sV+gI53oTBe60s3NQ8sYPowrGxOKMYVYoetX ryzE33Bw5fn7P2E1/wshfhiL43Uc8A4Eyw6vduvqhvVLQPCfhadubKEr3dy6CAixFU9QSwcIagCI bbIAAAAEGAAAUEsDBAoAAAAAABlaKU4AAAAAAAAAAAAAAAAaABAAX19NQUNPU1gvUGxheXBlbi9T a3lWZWdhcy9VWAwAIdg1XCHYNVx6nY0jUEsDBBQACAAIABpQKU4AAAAAAAAAAAAAAAAlABAAX19N QUNPU1gvUGxheXBlbi9Ta3lWZWdhcy8uXy5EU19TdG9yZVVYDABcxjVcVMY1XHqdjSNjYBVjZ2Bi YPBNTFbwD1aIUIACkBgDJxAbAbEbEIP4FUDMAFchwIADOIaEBEGZFTBd6AAAUEsHCPQZ17w0AAAA eAAAAFBLAwQUAAgACABcTSlOAAAAAAAAAAAAAAAAIQAQAFBsYXlwZW4vU2t5VmVnYXMvbG9hZF9z aW1wbGUuaHRtbFVYDAAh2DVcIMI1XHqdjSO1VsuO0zAU3fMVV9k0pVXaImDTdqSZgQUSEqAObBAa eZzbxDS1i+3QGTHz71zn0TSNUzQLvEhi5/jccx9+LFK7zS5eALVFiiyuPidH33cqfig/S9Ts4qNi Mcaw2jzAN0yYIfisQTTQu9xaJUFJngm+WQbF66oYDIfBxbXrwhYXkxLoozBci51t/ri2ziW3gohb fPCnBXKNK2lUhlGmkjCoxBRzMA6G8w68M/CbadhptRUGYQmx4vkWpY00/srR2JVVmiV4yTkaE3r4 qqmRTVGGnb8tT7zyvW5UVoEVZmHPDCSaSet3qW4G7bVSG4Fh8OFqdUtMQgZjCNS9uFEblLdirdkW aehND8vT+D96EKMU/Q48dUZPgG2Av1aaCEhydEy5zXJ6xezB+JS71OP9Tmg0lPog6CoTawj7ZtcM MbOuciTu4R19+orENQeLSOCN2GJYdJKqM4RRaQVewqvX9Hg7rR+z6XQ67CE8Uj6vO8uAuApyq77e XK+sFjLxKeqG+1D5vIig84hiSHRBQRoWsYTHR4qTE1xbHznrO2bT5SQ4TZg/SUkrSX15cf/ef2mp 6HrhgJwdL9tSfGR2mbDhYD7wuL5W2nmjQdDE6ZxeCyKJMpSJTak7Gp3LNqdJnH0XP/xJ2aciQwh5 xFOmL204HcJyCQMYDMuZkcnvTJmV2Zi6pdWeDLvq45GQMd5/WodlRAo+YtVocy1bhCWgojxL3s1+ RSfzLDu37FxrDTxvz2lNrfeLRKt8FwYV8ERta1OpKrOoRGJMfLZPV0vLynsZny6GVqfnLEiZOXsO nD8Dmt2TeEqCvgKbTOBKkVom4YAF43aGfYrEroEeB10OU2+wVNNS2cjL2orhgZcC2OjxlEj3KGgc 0ciMkme8+FwF0e37Gn8ip6OrWHhG0Woupz9HLKDWSpPkyvK/SvoIsJgcXy/oGlLcdOg2U9yJ/gJQ SwcI2s0DHcoCAAAbCQAAUEsDBBQACAAIAFxNKU4AAAAAAAAAAAAAAAAsABAAX19NQUNPU1gvUGxh eXBlbi9Ta3lWZWdhcy8uX2xvYWRfc2ltcGxlLmh0bWxVWAwAIdg1XCDCNVx6nY0jY2AVY2dgYmDw TUxW8A9WiFCAApAYAycQGwHxGiAG8e8xEAUcQ0KCoEyQjhlA7IamhBEhLpqcn6uXWFCQk6pXWJpY lJhXkpmXylCob2BgYGhtmmxsmpRoamDtnp+fnpMaU2Fk4JxRlJ+bam3k4mhh7GrsputoYOiqa2Jo 4aTr5GJqquvkaG7m4uxm6Gjm5MQAAFBLBwhvrAVvkQAAAN4AAABQSwMEFAAIAAgAGFApTgAAAAAA AAAAAAAAABsAEABfX01BQ09TWC9QbGF5cGVuLy5fU2t5VmVnYXNVWAwAXMY1XE/GNVx6nY0jY2AV Y2dgYmDwTUxW8A9WiFCAApAYAycQGwHxGiAG8e8xEAUcQ0KCoEyQjhlA7IamhBEhLpqcn6uXWFCQ k6pXWJpYlJhXkpmXylCob2BgYGhtmmxsmpRoamDtnp+fnpMaU2Fk4JxRlJ+bam3k4mhh7Grsputo YOiqa2Jo4aTr5GJqquvkaG7m4uxm6Gjm5MQAAFBLBwhvrAVvkQAAAN4AAABQSwMEFAAIAAgAE1Ap TgAAAAAAAAAAAAAAABIAEABfX01BQ09TWC8uX1BsYXlwZW5VWAwAXMY1XEbGNVx6nY0jY2AVY2dg YmDwTUxW8A9WiFCAApAYAycQGwHxGiAG8e8xEAUcQ0KCoEyQjhlA7IamhBEhLpqcn6uXWFCQk6pX WJpYlJhXkpmXylCob2BgYGhtmmxsmpRoamDtnp+fnpMaU2Fk4JxRlJ+bam3k4mhh7GrsputoYOiq a2Jo4aTr5GJqquvkaG7m4uxm6Gjm5MQAAFBLBwhvrAVvkQAAAN4AAABQSwECFQMKAAAAAAATUClO AAAAAAAAAAAAAAAACAAMAAAAAAAAAABA7UEAAAAAUGxheXBlbi9VWAgAXMY1XEbGNVxQSwECFQMU AAgACAATUClOagCIbbIAAAAEGAAAEQAMAAAAAAAAAABApIE2AAAAUGxheXBlbi8uRFNfU3RvcmVV WAgAXMY1XEbGNVxQSwECFQMKAAAAAAAZWilOAAAAAAAAAAAAAAAACQAMAAAAAAAAAABA/UE3AQAA X19NQUNPU1gvVVgIACHYNVwh2DVcUEsBAhUDCgAAAAAAGVopTgAAAAAAAAAAAAAAABEADAAAAAAA AAAAQP1BbgEAAF9fTUFDT1NYL1BsYXlwZW4vVVgIACHYNVwh2DVcUEsBAhUDFAAIAAgAE1ApTvQZ 17w0AAAAeAAAABwADAAAAAAAAAAAQKSBrQEAAF9fTUFDT1NYL1BsYXlwZW4vLl8uRFNfU3RvcmVV WAgAXMY1XEbGNVxQSwECFQMKAAAAAABBXyJOAAAAAAAAAAAAAAAAEQAMAAAAAAAAAABA7UE7AgAA UGxheXBlbi9Ta3lCaW5nby9VWAgAXMY1XEmnLFxQSwECFQMUAAgACAA0SylOhurGtTACAABfBQAA IQAMAAAAAAAAAABApIF6AgAAUGxheXBlbi9Ta3lCaW5nby9sb2FkX3NpbXBsZS5odG1sVVgIAFzG NVwTvjVcUEsBAhUDCgAAAAAAGVopTgAAAAAAAAAAAAAAABoADAAAAAAAAAAAQP1BCQUAAF9fTUFD T1NYL1BsYXlwZW4vU2t5QmluZ28vVVgIACHYNVwh2DVcUEsBAhUDFAAIAAgANEspTm+sBW+RAAAA 3gAAACwADAAAAAAAAAAAQKSBUQUAAF9fTUFDT1NYL1BsYXlwZW4vU2t5QmluZ28vLl9sb2FkX3Np bXBsZS5odG1sVVgIAFzGNVwTvjVcUEsBAhUDFAAIAAgAQV8iTm+sBW+RAAAA3gAAABsADAAAAAAA AAAAQKSBTAYAAF9fTUFDT1NYL1BsYXlwZW4vLl9Ta3lCaW5nb1VYCABcxjVcSacsXFBLAQIVAwoA AAAAABhQKU4AAAAAAAAAAAAAAAARAAwAAAAAAAAAAEDtQTYHAABQbGF5cGVuL1NreVZlZ2FzL1VY CABcxjVcT8Y1XFBLAQIVAxQACAAIABpQKU5qAIhtsgAAAAQYAAAaAAwAAAAAAAAAAECkgXUHAABQ bGF5cGVuL1NreVZlZ2FzLy5EU19TdG9yZVVYCABcxjVcVMY1XFBLAQIVAwoAAAAAABlaKU4AAAAA AAAAAAAAAAAaAAwAAAAAAAAAAED9QX8IAABfX01BQ09TWC9QbGF5cGVuL1NreVZlZ2FzL1VYCAAh 2DVcIdg1XFBLAQIVAxQACAAIABpQKU70Gde8NAAAAHgAAAAlAAwAAAAAAAAAAECkgccIAABfX01B Q09TWC9QbGF5cGVuL1NreVZlZ2FzLy5fLkRTX1N0b3JlVVgIAFzGNVxUxjVcUEsBAhUDFAAIAAgA XE0pTtrNAx3KAgAAGwkAACEADAAAAAAAAAAAQKSBXgkAAFBsYXlwZW4vU2t5VmVnYXMvbG9hZF9z aW1wbGUuaHRtbFVYCAAh2DVcIMI1XFBLAQIVAxQACAAIAFxNKU5vrAVvkQAAAN4AAAAsAAwAAAAA AAAAAECkgYcMAABfX01BQ09TWC9QbGF5cGVuL1NreVZlZ2FzLy5fbG9hZF9zaW1wbGUuaHRtbFVY CAAh2DVcIMI1XFBLAQIVAxQACAAIABhQKU5vrAVvkQAAAN4AAAAbAAwAAAAAAAAAAECkgYINAABf X01BQ09TWC9QbGF5cGVuLy5fU2t5VmVnYXNVWAgAXMY1XE/GNVxQSwECFQMUAAgACAATUClOb6wF b5EAAADeAAAAEgAMAAAAAAAAAABApIFsDgAAX19NQUNPU1gvLl9QbGF5cGVuVVgIAFzGNVxGxjVc UEsFBgAAAAASABIA2gUAAE0PAAAAAA==