Use (top-level site, embedded site) permissions #147
Assignees
Labels
resolve before graduation
These issues need to be resolved before the spec graduates from the CG
Comments
johannhof
added
the
resolve before graduation
3 tasks
johannhof
added a commit
to johannhof/storage-access
that referenced
this issue
Jan 23, 2023
privacycg#156) This updates the permission key for storage-access to (site, site), and also removes the concept of the "partitioned storage key", which was origin-keyed as well. The storage key was only used for running the implementation-defined steps that are supposed to be removed as of privacycg#156.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There seems to be consensus that given the security properties of per-frame rSA it's reasonable to go back to (site, site) as the permission key. This would have the advantage that adjacent same-site iframes would be able to observe when storage access was available, without exposing these iframes to immediate storage access. It would also codify the user-visible permission grant level that most browsers will likely apply.
The text was updated successfully, but these errors were encountered: