-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FR: Request header to indicate storage access #130
Comments
Can't you tell this from a cookie? |
Maybe I'm misunderstanding the suggestion, but we want to disambiguate between "The user is not logged in" and "The request is coming from a frame without storage access". |
If you use a different cookie for "got storage access" and "got storage access and user logged in" that seems possible to achieve. One thing that might be tricky is identifying a partitioned context. w3c/webappsec-fetch-metadata#80 and variants aim to address that, although not much progress has been made recently. |
If I understand correctly, a cookie-based approach doesn't really solve the problem @lghall is describing, since the server would have no way to distinguish a new user (or new device) which doesn't yet have cookies from an existing user/device that just hasn't granted storage access yet. My first thoughts for this issue are of:
Adding a new Fetch metadata header would work AFAIK, but would mean the browser always leaks the "has storage access" bit (which may be fine, since its value would change so often). A new UA-CH header would require an extra round-trip, but would avoid leaking that bit by default. |
(nit: this would probably just be a client hint, not a user-agent client hint - since it has nothing to do with the User-Agent string) |
Hi - I've published a proposal for HTTP request/response headers that I believe would satisfy this feature request: https://github.com/cfredric/storage-access-headers Please take a look and let me know if that proposal would be helpful for this, and/or how it could be improved! |
Our EdTech tool is embedded in several contexts, including Google Classroom add-on (as @DavidScales mentioned). I want to confirm that @cfredric 's proposal looks good to us:
One thing I wanted to point out is that the LTI flow's final step can be a form POST instead of a GET, i'm not sure if this has an impact on the |
Currently, the server has no way of knowing whether a particular document request was initiated from an iframe without storage access. Many applications wish to serve a different page when the requested frame does not have storage access, to prompt the user for access (for example, we do this in Google Docs on Safari and Firefox). Currently, we’re forced to do this check on the client. It would be preferable if there could be a request header indicating whether the given request is from a context that does not have storage access.
The text was updated successfully, but these errors were encountered: