-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Give non-eTLD+1 frames site-length, ephemeral storage #8514
Comments
Note to self: check to see if this fixes #6046 when this is closed |
https://fivethirtyeight.com/videos/do-you-buy-that-biden-should-pick-a-running-mate-from-a-swing-state/ is another example of a site this would unbreak |
This would also unbreak https://community.brave.com/t/chart-is-blank-in-brave-browser/138464 |
W3C related conversation on the updated version of this approach / idea privacycg/proposals#18 |
Would remove the need for this exception: #10494 |
Hi, Thank you |
@dlecan we're getting close! No promises, but looks like we might land an implementation in nightly in the next week or three (though the holidays might slow things down). It'd then take two releases (~6 weeks) for it to make its way to stable unless we do an uplift (which, given the need for testing here, is unlikely) |
Thank you! |
@pes10k
could you elaborate what you mean by this? or do you just mean to move the login form to the first party domain that houses the comment form in the iframe currently, and then pass that on? that wouldn't work in our setup unfortunately thank you for your response |
@bogger33 If you control both frames, you can use the main / 1p site as your permanent data store, and send those persistently-stored values to the third-party frame using postMessage, and then use those values as you like in the 3p frame. Just know (as in Safari, for example) that any values that are stored in the storage area of the 3p frame will be lost when the frame closes. @dlongley the best I can suggest for now (besides an extension or browser integration) would be using 1p redirect, and bouncing the credentials back to the original site. So, in your example, rp.example would have a link to authn.io (which is where the 1p auth storage is if i understand correctly). User clicks that link, is taken to authn.io, which does what it needs to do, and redirects back to rp.example w/ the values in the URL or otherwise (basically, an oAuth flow). I think that'd work for ya, and as long as you steered clear of getting classified as a tracking origin by Firefox or Safari (as determined by Disconnect or ITP) you'd be fine in those browsers. Brave also has upcoming plans for protecting against using the above pattern for bounce tracking, but nothing concrete yet. Hope that helps! |
@pes10k I can't really do that, since hosting the login on the domain with the user generated html content is just an invitation for people to make phishing forms on that domain, and there's more than one domain the comment form gets embedded from (basically it's a site generator so people can hook up their own domain names). I guess I will also have to go with an oauth type of thing in a popup, although I was trying to avoid it since it adds a lot of friction for leaving a comment. I know it's not a simple problem to solve, but I wish there was a better way to transfer credentials accross domains that belong to the same site. |
Unfortunately, falling back to an oauth-style flow would defeat one of the main purposes of the credential handler technology. It was created, in part, to eliminate the problem of redirection and loss of state on the relying party. The polyfill works on browsers that support the Storage Access API -- but it is sounding like there is no clear and privacy-preserving alternative means to polyfill for Brave. I do hope the Brave team will reconsider implementing the Storage Access API in the future. |
Closing this issue since the feature has been merged in for a while, is on by default on Beta and Nightly, and being deployed to stable through Griffin (currently ~20% enabled) |
@pes10k is there anything that QA needs to do here? If so, is there any STR/Cases? |
@kjozwiak nothing other than the tests https://dev-pages.brave.software/storage/ephemeral-storage.html (which I think have already been tied to another related issue IIRC; there are several issues all relating to ephemeral storage) |
Sounds good 👍 Going to label this as |
I am not sure if its been mentioned in release notes (given that the roll out is being controlled by griffin), but i think a QA/No sounds 👍 |
Awesome work! |
@dlecan it should be default on for all users now, as per brave/brave-variations#13. Are seeing otherwise? |
Thank you for the pointer, I haven't found anything about 'Griffin" before :) Screenshot of https://griffin.brave.com/ a few seconds ago: Beta variation is at 100%. If I run Brave with "beta" variation ( What's wrong with release variation? |
thanks @dlecan , that is unexpected, i will talk to folks and get back to you shortly! |
Hi @dlecan looks like a task runner fell over when trying to deploy the "on for everyone" update. If you referesh https://griffin.brave.com/ you'll see we're at 100% for all channels now. Thanks for letting us know! |
Enabled for everyone this morning and working as expected 💪 |
Currently non eTLD+1 frames get do not have any storage, which means frames expecting normal acting localStorage, document.cookie, etc will have web compat problems.
non eTLD+1 frames should instead get
The text was updated successfully, but these errors were encountered: