From 5555beb82324717f6da58da5850638c4c71da1da Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Tue, 13 Jun 2023 18:19:39 +0000 Subject: [PATCH 01/21] Check whether the context already has unpartitioned data access in hSA --- storage-access.bs | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index cbd4578..4749b6d 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -129,6 +129,8 @@ A {{Document}} is in a first-party-site context if it is the [=active A {{Document}} is in a third party context if it is not in a [=first-party-site context=]. +Global user settings are user agent settings that can be modified by users. +

Changes to user agent state related to storage access

Modify the definition of [=environment=] in the following manner: @@ -162,7 +164,10 @@ When invoked on {{Document}} |doc|, the ha ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. -1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p| with |global|'s [=environment/has storage access=]. +1. If |global|'s [=environment/has storage access=] is true, [=/resolve=] |p| with true and return |p|. +1. Run the following steps [=in parallel=]: + 1. Let |has unpartitioned data access| be the result of whether the user agent allows |doc| access [=unpartitioned data=] based on [=global user settings=]. + 1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p| with |has unpartitioned data access|. 1. Return |p|. When invoked on {{Document}} |doc|, the requestStorageAccess() method must run these steps: @@ -185,7 +190,7 @@ When invoked on {{Document}} |doc|, the re NOTE: This check is [=same site=] on purpose, to allow embedded sites to use `requestStorageAccess()` to opt into storage access without involvement from the end user in scenarios where storage access is restricted for security and not privacy purposes. 1. If |doc|'s [=active sandboxing flag set=] has its [=sandbox storage access by user activation flag=] set, [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}} and return |p|. -1. If |global|'s [=environment/has storage access=] is true, [=/resolve=] |p| with {{undefined}} and return. +1. If |global|'s [=environment/has storage access=] is true, [=/resolve=] and return |p|. 1. Let |has transient activation| be whether |doc|'s {{Window}} object has [=transient activation=]. 1. Run the following steps [=in parallel=]: 1. Let |process permission state| be an algorithm that, given a [=permission state=] |state|, runs the following steps: @@ -442,4 +447,4 @@ Zach Edwards, and everyone who commented on [whatwg/html#3338](https://github.com/whatwg/html/issues/3338), [privacycg/proposals#2](https://github.com/privacycg/proposals/issues/2), and [privacycg/storage-access/issues](https://github.com/privacycg/storage-access/issues) for their feedback on this proposal. -Thanks to the [WebKit Open Source Project](https://webkit.org/) for allowing us to use the [Storage Access API Prompt](#example-prompt) image, which was [originally published on webkit.org](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/). +Thanks to the [WebKit Open Source Project](https://webkit.org/) for allowing us to use the [Storage Access API Prompt](#example-prompt) image, which was [originally published on webkit.org](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/). \ No newline at end of file From d5efb4d2c0bf37814ba1bc25fbca024c6fe68d2e Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Wed, 14 Jun 2023 20:07:34 +0000 Subject: [PATCH 02/21] Add implementation dfn of "whether the user agent allows unpartitioned data access" --- storage-access.bs | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 4749b6d..eb9cc3a 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -129,8 +129,6 @@ A {{Document}} is in a first-party-site context if it is the [=active A {{Document}} is in a third party context if it is not in a [=first-party-site context=]. -Global user settings are user agent settings that can be modified by users. -

Changes to user agent state related to storage access

Modify the definition of [=environment=] in the following manner: @@ -164,9 +162,14 @@ When invoked on {{Document}} |doc|, the ha ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. -1. If |global|'s [=environment/has storage access=] is true, [=/resolve=] |p| with true and return |p|. +1. Let |hasStorageAccess| be |global|'s [=environment/has storage access=]. 1. Run the following steps [=in parallel=]: - 1. Let |has unpartitioned data access| be the result of whether the user agent allows |doc| access [=unpartitioned data=] based on [=global user settings=]. + 1. Let whether the user agent allows [=unpartitioned data=] access be an algorithm that, given a [=boolean=] |has per-frame storage access|, runs the following steps: + 1. If |has per-frame storage access| is false: + 1. If user agent allows [=unpartitioned data=] access via settings, return true. + 1. If user agent disallows [=unpartitioned data=] access via settings, return false. + 1. Return true. + 1. Let |has unpartitioned data access| be the result of running whether the user agent allows unpartitioned data access with |hasStorageAccess|. 1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p| with |has unpartitioned data access|. 1. Return |p|. @@ -190,7 +193,7 @@ When invoked on {{Document}} |doc|, the re NOTE: This check is [=same site=] on purpose, to allow embedded sites to use `requestStorageAccess()` to opt into storage access without involvement from the end user in scenarios where storage access is restricted for security and not privacy purposes. 1. If |doc|'s [=active sandboxing flag set=] has its [=sandbox storage access by user activation flag=] set, [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}} and return |p|. -1. If |global|'s [=environment/has storage access=] is true, [=/resolve=] and return |p|. +1. If |global|'s [=environment/has storage access=] is true, [=/resolve=] |p| with {{undefined}} and return. 1. Let |has transient activation| be whether |doc|'s {{Window}} object has [=transient activation=]. 1. Run the following steps [=in parallel=]: 1. Let |process permission state| be an algorithm that, given a [=permission state=] |state|, runs the following steps: @@ -447,4 +450,4 @@ Zach Edwards, and everyone who commented on [whatwg/html#3338](https://github.com/whatwg/html/issues/3338), [privacycg/proposals#2](https://github.com/privacycg/proposals/issues/2), and [privacycg/storage-access/issues](https://github.com/privacycg/storage-access/issues) for their feedback on this proposal. -Thanks to the [WebKit Open Source Project](https://webkit.org/) for allowing us to use the [Storage Access API Prompt](#example-prompt) image, which was [originally published on webkit.org](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/). \ No newline at end of file +Thanks to the [WebKit Open Source Project](https://webkit.org/) for allowing us to use the [Storage Access API Prompt](#example-prompt) image, which was [originally published on webkit.org](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/). From de02b6943c91459a236de861f7c31783f6d2dfd3 Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Wed, 14 Jun 2023 20:13:55 +0000 Subject: [PATCH 03/21] Queue a global task for the algo --- storage-access.bs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index eb9cc3a..b51d63d 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -165,12 +165,12 @@ When invoked on {{Document}} |doc|, the ha 1. Let |hasStorageAccess| be |global|'s [=environment/has storage access=]. 1. Run the following steps [=in parallel=]: 1. Let whether the user agent allows [=unpartitioned data=] access be an algorithm that, given a [=boolean=] |has per-frame storage access|, runs the following steps: - 1. If |has per-frame storage access| is false: - 1. If user agent allows [=unpartitioned data=] access via settings, return true. - 1. If user agent disallows [=unpartitioned data=] access via settings, return false. - 1. Return true. - 1. Let |has unpartitioned data access| be the result of running whether the user agent allows unpartitioned data access with |hasStorageAccess|. - 1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p| with |has unpartitioned data access|. + 1. [=Queue a global task=] on the [=permission task source=] given |global| to: + 1. If |has per-frame storage access| is false: + 1. If user agent allows [=unpartitioned data=] access via settings, [=/resolve=] |p| with true and return |p|. + 1. If user agent disallows [=unpartitioned data=] access via settings, [=/resolve=] |p| with false and return |p|. + 1. [=/Resolve=] |p| with true and return |p|. + 1. Run whether the user agent allows unpartitioned data access with |hasStorageAccess|. 1. Return |p|. When invoked on {{Document}} |doc|, the requestStorageAccess() method must run these steps: From 9191beea119bb9ab22d79637afd42ee0be684246 Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Thu, 15 Jun 2023 15:17:57 +0000 Subject: [PATCH 04/21] Address comments --- storage-access.bs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index b51d63d..bc4487c 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -162,15 +162,15 @@ When invoked on {{Document}} |doc|, the ha ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. -1. Let |hasStorageAccess| be |global|'s [=environment/has storage access=]. 1. Run the following steps [=in parallel=]: - 1. Let whether the user agent allows [=unpartitioned data=] access be an algorithm that, given a [=boolean=] |has per-frame storage access|, runs the following steps: + 1. Let whether the user agent allows unpartitioned cookie access be an algorithm that, given a user agent's settings object |user agent settings| and a [=boolean=] |has per-frame storage access|, runs the following steps: 1. [=Queue a global task=] on the [=permission task source=] given |global| to: 1. If |has per-frame storage access| is false: - 1. If user agent allows [=unpartitioned data=] access via settings, [=/resolve=] |p| with true and return |p|. - 1. If user agent disallows [=unpartitioned data=] access via settings, [=/resolve=] |p| with false and return |p|. + 1. If |user agent settings| allows unpartitioned cookie access, [=/resolve=] |p| with true and return |p|. + 1. If |user agent settings| disallows unpartitioned cookie access, [=/resolve=] |p| with false and return |p|. 1. [=/Resolve=] |p| with true and return |p|. - 1. Run whether the user agent allows unpartitioned data access with |hasStorageAccess|. + 1. Let |user agent settings| be user agent's settings. + 1. Run whether the user agent allows unpartitioned cookie access with |user agent settings| and |global|'s [=environment/has storage access=]. 1. Return |p|. When invoked on {{Document}} |doc|, the requestStorageAccess() method must run these steps: From 88d169e747f0cfdbf7a5463ccfdcbd91376d3a97 Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Thu, 15 Jun 2023 18:40:12 +0000 Subject: [PATCH 05/21] Update inline algo definition --- storage-access.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index bc4487c..73952d1 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -163,14 +163,14 @@ When invoked on {{Document}} |doc|, the ha ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. 1. Run the following steps [=in parallel=]: - 1. Let whether the user agent allows unpartitioned cookie access be an algorithm that, given a user agent's settings object |user agent settings| and a [=boolean=] |has per-frame storage access|, runs the following steps: + 1. Let |Whether the User Agent Allows Unpartitioned Cookie Access| be an algorithm that, given a user agent's settings object |user agent settings|, runs the following steps: 1. [=Queue a global task=] on the [=permission task source=] given |global| to: - 1. If |has per-frame storage access| is false: + 1. If |global|'s [=environment/has storage access=] is false: 1. If |user agent settings| allows unpartitioned cookie access, [=/resolve=] |p| with true and return |p|. 1. If |user agent settings| disallows unpartitioned cookie access, [=/resolve=] |p| with false and return |p|. 1. [=/Resolve=] |p| with true and return |p|. 1. Let |user agent settings| be user agent's settings. - 1. Run whether the user agent allows unpartitioned cookie access with |user agent settings| and |global|'s [=environment/has storage access=]. + 1. Run |Whether the User Agent Allows Unpartitioned Cookie Access| with |user agent settings|. 1. Return |p|. When invoked on {{Document}} |doc|, the requestStorageAccess() method must run these steps: From 95261cc802998d3c0681f65cfaf8259c5b0d9fdf Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Tue, 20 Jun 2023 21:57:07 +0000 Subject: [PATCH 06/21] Update the "user agent explicitly allows..." part --- storage-access.bs | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 73952d1..690638e 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -163,14 +163,20 @@ When invoked on {{Document}} |doc|, the ha ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. 1. Run the following steps [=in parallel=]: - 1. Let |Whether the User Agent Allows Unpartitioned Cookie Access| be an algorithm that, given a user agent's settings object |user agent settings|, runs the following steps: - 1. [=Queue a global task=] on the [=permission task source=] given |global| to: - 1. If |global|'s [=environment/has storage access=] is false: - 1. If |user agent settings| allows unpartitioned cookie access, [=/resolve=] |p| with true and return |p|. - 1. If |user agent settings| disallows unpartitioned cookie access, [=/resolve=] |p| with false and return |p|. - 1. [=/Resolve=] |p| with true and return |p|. - 1. Let |user agent settings| be user agent's settings. - 1. Run |Whether the User Agent Allows Unpartitioned Cookie Access| with |user agent settings|. + 1. Let |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| be an algorithm that runs the following steps: + + Note: The "explicit allow" can come from user agent's per-site allow-lists or the user changing global browser settings, etc.. + + 1. If user agent does not have explicit settings for unpartitioned cookie access for |doc|, return 'none'. + 1. If user agent's settings explicitly allow unpartitioned cookie access for |doc|, return 'allow'. + 1. If user agent's settings explicitly disallow unpartitioned cookie access for |doc|, return 'disallow'. + 1. Let |explicitSetting| be the result of |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access|. + 1. Let |previous permission state| be the result of [=getting the current permission state=] given "storage-access" and |global|. + 1. [=Queue a global task=] on the [=permission task source=] given |global| to: + 1. If |explicitSetting| is 'none': + 1. If |previous permission state| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=] and return |p|. + 1. If |explicitSetting| is 'allow', [=/resolve=] |p| with true and return |p|. + 1. [=/Resolve=] |p| with false and return |p|. 1. Return |p|. When invoked on {{Document}} |doc|, the requestStorageAccess() method must run these steps: From a8a08ccdb9ed7bf6a6f9a5404b3518361a51f22a Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Thu, 22 Jun 2023 18:57:43 +0000 Subject: [PATCH 07/21] Use (topLevelSite, embeddedSite) tuple for user agent's setting checks. --- storage-access.bs | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 690638e..7cd1fd3 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -162,20 +162,22 @@ When invoked on {{Document}} |doc|, the ha ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. +1. Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from the [=top-level origin=] of |doc|'s [=relevant settings object=]. +1. Let |embeddedSite| be the result of [=obtain a site|obtaining a site=] from |doc|'s [=Document/origin=]. 1. Run the following steps [=in parallel=]: - 1. Let |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| be an algorithm that runs the following steps: + 1. Let |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| be an algorithm, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "none", "allow" or "disallow". Note: The "explicit allow" can come from user agent's per-site allow-lists or the user changing global browser settings, etc.. - 1. If user agent does not have explicit settings for unpartitioned cookie access for |doc|, return 'none'. - 1. If user agent's settings explicitly allow unpartitioned cookie access for |doc|, return 'allow'. - 1. If user agent's settings explicitly disallow unpartitioned cookie access for |doc|, return 'disallow'. - 1. Let |explicitSetting| be the result of |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access|. - 1. Let |previous permission state| be the result of [=getting the current permission state=] given "storage-access" and |global|. + 1. If user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". + 1. If user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". + 1. If user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". + 1. Let |explicitSetting| be the result of |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| with (|topLevelSite|, |embeddedSite|). + 1. Let |previousPermissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permission task source=] given |global| to: - 1. If |explicitSetting| is 'none': - 1. If |previous permission state| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=] and return |p|. - 1. If |explicitSetting| is 'allow', [=/resolve=] |p| with true and return |p|. + 1. If |explicitSetting| is "none": + 1. If |previousPermissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=] and return |p|. + 1. If |explicitSetting| is "allow", [=/resolve=] |p| with true and return |p|. 1. [=/Resolve=] |p| with false and return |p|. 1. Return |p|. From 259ede3e413c5d5286c9482618c4613141c25078 Mon Sep 17 00:00:00 2001 From: Shuran Huang <89418275+shuranhuang@users.noreply.github.com> Date: Thu, 29 Jun 2023 10:22:20 -0400 Subject: [PATCH 08/21] Update storage-access.bs Co-authored-by: Johann Hofmann --- storage-access.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage-access.bs b/storage-access.bs index 7cd1fd3..e16bfc7 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -165,7 +165,7 @@ When invoked on {{Document}} |doc|, the ha 1. Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from the [=top-level origin=] of |doc|'s [=relevant settings object=]. 1. Let |embeddedSite| be the result of [=obtain a site|obtaining a site=] from |doc|'s [=Document/origin=]. 1. Run the following steps [=in parallel=]: - 1. Let |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| be an algorithm, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "none", "allow" or "disallow". + 1. Let |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| be an algorithm that, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "none", "allow" or "disallow". Note: The "explicit allow" can come from user agent's per-site allow-lists or the user changing global browser settings, etc.. From 2c68690416a8115ddfd694eaaaa0b6faa63c8801 Mon Sep 17 00:00:00 2001 From: Shuran Huang <89418275+shuranhuang@users.noreply.github.com> Date: Thu, 29 Jun 2023 10:23:21 -0400 Subject: [PATCH 09/21] Update storage-access.bs Co-authored-by: Johann Hofmann --- storage-access.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage-access.bs b/storage-access.bs index e16bfc7..8b6b160 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -167,7 +167,7 @@ When invoked on {{Document}} |doc|, the ha 1. Run the following steps [=in parallel=]: 1. Let |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| be an algorithm that, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "none", "allow" or "disallow". - Note: The "explicit allow" can come from user agent's per-site allow-lists or the user changing global browser settings, etc.. + Note: A user agent's settings might explicitly allow or disallow unpartitioned cookie access through per-site allow-lists, the user changing global browser settings, or similar custom overrides. 1. If user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". 1. If user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". From 5140c14e04602dc4482fde8bdcfa714948f088fc Mon Sep 17 00:00:00 2001 From: Shuran Huang <89418275+shuranhuang@users.noreply.github.com> Date: Thu, 29 Jun 2023 10:23:30 -0400 Subject: [PATCH 10/21] Update storage-access.bs Co-authored-by: Johann Hofmann --- storage-access.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage-access.bs b/storage-access.bs index 8b6b160..df23d51 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -172,7 +172,7 @@ When invoked on {{Document}} |doc|, the ha 1. If user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". 1. If user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". 1. If user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". - 1. Let |explicitSetting| be the result of |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| with (|topLevelSite|, |embeddedSite|). + 1. Let |explicitSetting| be the result of determining |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| with (|topLevelSite|, |embeddedSite|). 1. Let |previousPermissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permission task source=] given |global| to: 1. If |explicitSetting| is "none": From 971c279af86813fd703b09533a27db30c228a83a Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Fri, 30 Jun 2023 02:45:13 +0000 Subject: [PATCH 11/21] Add non-normative note for user decission. --- storage-access.bs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index df23d51..523265a 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -165,18 +165,21 @@ When invoked on {{Document}} |doc|, the ha 1. Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from the [=top-level origin=] of |doc|'s [=relevant settings object=]. 1. Let |embeddedSite| be the result of [=obtain a site|obtaining a site=] from |doc|'s [=Document/origin=]. 1. Run the following steps [=in parallel=]: - 1. Let |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| be an algorithm that, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "none", "allow" or "disallow". + 1. Let |whether the user agent explicitly allows unpartitioned cookie access| be an algorithm that, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "none", "allow" or "disallow". Note: A user agent's settings might explicitly allow or disallow unpartitioned cookie access through per-site allow-lists, the user changing global browser settings, or similar custom overrides. 1. If user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". 1. If user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". 1. If user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". - 1. Let |explicitSetting| be the result of determining |Whether the User Agent Explicitly Allows Unpartitioned Cookie Access| with (|topLevelSite|, |embeddedSite|). + 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). 1. Let |previousPermissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. - 1. [=Queue a global task=] on the [=permission task source=] given |global| to: + 1. [=Queue a global task=] on the [=permissions task source=] given |global| to: 1. If |explicitSetting| is "none": 1. If |previousPermissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=] and return |p|. + + Note: The user decission to revoke the previously granted permission should overrule the cookie access without pending a reload on the iframe or similar. + 1. If |explicitSetting| is "allow", [=/resolve=] |p| with true and return |p|. 1. [=/Resolve=] |p| with false and return |p|. 1. Return |p|. From 7a88f3ef48d679f676ff23bd403ed4127657b4b5 Mon Sep 17 00:00:00 2001 From: Shuran Huang <89418275+shuranhuang@users.noreply.github.com> Date: Wed, 5 Jul 2023 22:22:11 -0400 Subject: [PATCH 12/21] Update storage-access.bs Co-authored-by: Johann Hofmann --- storage-access.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage-access.bs b/storage-access.bs index 523265a..52e675c 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -169,7 +169,7 @@ When invoked on {{Document}} |doc|, the ha Note: A user agent's settings might explicitly allow or disallow unpartitioned cookie access through per-site allow-lists, the user changing global browser settings, or similar custom overrides. - 1. If user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". + 1. If the user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". 1. If user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". 1. If user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). From bd288a12c037c64100fec9a8a2b3271da53a6e46 Mon Sep 17 00:00:00 2001 From: Shuran Huang <89418275+shuranhuang@users.noreply.github.com> Date: Wed, 5 Jul 2023 22:22:21 -0400 Subject: [PATCH 13/21] Update storage-access.bs Co-authored-by: Johann Hofmann --- storage-access.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage-access.bs b/storage-access.bs index 52e675c..4306fa6 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -170,7 +170,7 @@ When invoked on {{Document}} |doc|, the ha Note: A user agent's settings might explicitly allow or disallow unpartitioned cookie access through per-site allow-lists, the user changing global browser settings, or similar custom overrides. 1. If the user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". - 1. If user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". + 1. If the user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". 1. If user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). 1. Let |previousPermissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. From 9637c1ce48e4b09eb03fe1c05c9b721b0c5ccb37 Mon Sep 17 00:00:00 2001 From: Shuran Huang <89418275+shuranhuang@users.noreply.github.com> Date: Wed, 5 Jul 2023 22:22:29 -0400 Subject: [PATCH 14/21] Update storage-access.bs Co-authored-by: Johann Hofmann --- storage-access.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage-access.bs b/storage-access.bs index 4306fa6..48a72e7 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -171,7 +171,7 @@ When invoked on {{Document}} |doc|, the ha 1. If the user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". 1. If the user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". - 1. If user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". + 1. If the user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). 1. Let |previousPermissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permissions task source=] given |global| to: From a390040c3d0ceee996cfad4f768b445d208e94dd Mon Sep 17 00:00:00 2001 From: Shuran Huang <89418275+shuranhuang@users.noreply.github.com> Date: Wed, 5 Jul 2023 22:23:18 -0400 Subject: [PATCH 15/21] Update storage-access.bs Co-authored-by: Johann Hofmann --- storage-access.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage-access.bs b/storage-access.bs index 48a72e7..39ac625 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -178,7 +178,7 @@ When invoked on {{Document}} |doc|, the ha 1. If |explicitSetting| is "none": 1. If |previousPermissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=] and return |p|. - Note: The user decission to revoke the previously granted permission should overrule the cookie access without pending a reload on the iframe or similar. + Note: The global storage access permission state takes precedence over the local [=environment/has storage access=] flag here, in order to immediately reflect a possible user choice to revoke the permission in their settings. 1. If |explicitSetting| is "allow", [=/resolve=] |p| with true and return |p|. 1. [=/Resolve=] |p| with false and return |p|. From f3aaccb67123291cd53fa1d0c8f9a7f6b49b6534 Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Thu, 6 Jul 2023 02:26:51 +0000 Subject: [PATCH 16/21] Update storage-access.bs --- storage-access.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 39ac625..178e779 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -173,15 +173,15 @@ When invoked on {{Document}} |doc|, the ha 1. If the user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". 1. If the user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). - 1. Let |previousPermissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. + 1. Let |permissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permissions task source=] given |global| to: 1. If |explicitSetting| is "none": - 1. If |previousPermissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=] and return |p|. + 1. If |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. Note: The global storage access permission state takes precedence over the local [=environment/has storage access=] flag here, in order to immediately reflect a possible user choice to revoke the permission in their settings. - 1. If |explicitSetting| is "allow", [=/resolve=] |p| with true and return |p|. - 1. [=/Resolve=] |p| with false and return |p|. + 1. If |explicitSetting| is "allow", [=/resolve=] |p| with true. + 1. [=/Resolve=] |p| with false. 1. Return |p|. When invoked on {{Document}} |doc|, the requestStorageAccess() method must run these steps: From 8f5dda897afa77c99c312a349d6ddeeb6b83293b Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Thu, 6 Jul 2023 14:28:20 +0000 Subject: [PATCH 17/21] Inline the sub step --- storage-access.bs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 178e779..63ac8f2 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -175,8 +175,7 @@ When invoked on {{Document}} |doc|, the ha 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). 1. Let |permissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permissions task source=] given |global| to: - 1. If |explicitSetting| is "none": - 1. If |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. + 1. If |explicitSetting| is "none" and |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. Note: The global storage access permission state takes precedence over the local [=environment/has storage access=] flag here, in order to immediately reflect a possible user choice to revoke the permission in their settings. From 4ad7a3214de3d2f70479284832ce692745c23bfa Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Wed, 12 Jul 2023 14:38:51 +0000 Subject: [PATCH 18/21] format string --- storage-access.bs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 63ac8f2..3458137 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -165,21 +165,21 @@ When invoked on {{Document}} |doc|, the ha 1. Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from the [=top-level origin=] of |doc|'s [=relevant settings object=]. 1. Let |embeddedSite| be the result of [=obtain a site|obtaining a site=] from |doc|'s [=Document/origin=]. 1. Run the following steps [=in parallel=]: - 1. Let |whether the user agent explicitly allows unpartitioned cookie access| be an algorithm that, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "none", "allow" or "disallow". + 1. Let |whether the user agent explicitly allows unpartitioned cookie access| be an algorithm that, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "`none`", "`allow`" or "`disallow`". Note: A user agent's settings might explicitly allow or disallow unpartitioned cookie access through per-site allow-lists, the user changing global browser settings, or similar custom overrides. - 1. If the user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "none". - 1. If the user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "allow". - 1. If the user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "disallow". + 1. If the user agent does not have explicit settings for unpartitioned cookie access for |tuple|, return "`none`". + 1. If the user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "`allow`". + 1. If the user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "`disallow`". 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). 1. Let |permissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permissions task source=] given |global| to: - 1. If |explicitSetting| is "none" and |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. + 1. If |explicitSetting| is "`none`" and |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. Note: The global storage access permission state takes precedence over the local [=environment/has storage access=] flag here, in order to immediately reflect a possible user choice to revoke the permission in their settings. - 1. If |explicitSetting| is "allow", [=/resolve=] |p| with true. + 1. If |explicitSetting| is "`allow`", [=/resolve=] |p| with true. 1. [=/Resolve=] |p| with false. 1. Return |p|. From 10030f44ecc4239e27c77e9b4b31a556a8fa6eff Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Fri, 21 Jul 2023 17:41:50 +0000 Subject: [PATCH 19/21] Remove early return for top-level document and same authority cases --- storage-access.bs | 5 ----- 1 file changed, 5 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 3458137..1853a17 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -156,12 +156,7 @@ When invoked on {{Document}} |doc|, the ha 1. If |doc|'s [=Document/origin=] is an [=opaque origin=], [=/resolve=] |p| with false and return |p|. 1. Let |global| be |doc|'s [=relevant global object=]. 1. If |global| is not a [=secure context=], then [=/resolve=] |p| with false and return |p|. -1. If |doc|'s [=Document/browsing context=] is a [=top-level browsing context=], [=/resolve=] |p| with true and return |p|. 1. If the [=top-level origin=] of |doc|'s [=relevant settings object=] is an [=opaque origin=], [=/resolve=] |p| with false and return |p|. -1. If |doc| is same authority with |doc|'s [=Document/browsing context=]'s [=top-level browsing context=]'s [=active document=], [=/resolve=] |p| with true and return |p|. - - ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. - 1. Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from the [=top-level origin=] of |doc|'s [=relevant settings object=]. 1. Let |embeddedSite| be the result of [=obtain a site|obtaining a site=] from |doc|'s [=Document/origin=]. 1. Run the following steps [=in parallel=]: From 3ef5060c876d72f2c450fc223d4a446118676b87 Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Mon, 24 Jul 2023 19:02:59 +0000 Subject: [PATCH 20/21] Add back top-level and same authority checks and make sure they are checked only if user settings do not explicitly allow/disallow --- storage-access.bs | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 1853a17..c5ee737 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -157,6 +157,7 @@ When invoked on {{Document}} |doc|, the ha 1. Let |global| be |doc|'s [=relevant global object=]. 1. If |global| is not a [=secure context=], then [=/resolve=] |p| with false and return |p|. 1. If the [=top-level origin=] of |doc|'s [=relevant settings object=] is an [=opaque origin=], [=/resolve=] |p| with false and return |p|. +1. Let |browsingContext| be |doc|'s [=Document/browsing context=]. 1. Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from the [=top-level origin=] of |doc|'s [=relevant settings object=]. 1. Let |embeddedSite| be the result of [=obtain a site|obtaining a site=] from |doc|'s [=Document/origin=]. 1. Run the following steps [=in parallel=]: @@ -170,11 +171,18 @@ When invoked on {{Document}} |doc|, the ha 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). 1. Let |permissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permissions task source=] given |global| to: - 1. If |explicitSetting| is "`none`" and |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. + 1. If |explicitSetting| is "`disallow`", [=/resolve=] |p| with false. + 1. If |explicitSetting| is "`allow`", [=/resolve=] |p| with true. + 1. If |explicitSetting| is "`none`": + 1. If |browsingContext| is a [=top-level browsing context=], [=/resolve=] |p| with true. + 1. If |browsingContext| is same authority with |browsingContext|'s [=top-level browsing context=]'s [=active document=], [=/resolve=] |p| with true. + + ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. + + 1. If |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. Note: The global storage access permission state takes precedence over the local [=environment/has storage access=] flag here, in order to immediately reflect a possible user choice to revoke the permission in their settings. - 1. If |explicitSetting| is "`allow`", [=/resolve=] |p| with true. 1. [=/Resolve=] |p| with false. 1. Return |p|. From 024f4b8d2f9ad1ca79c56b7c4bef91ac745d24e7 Mon Sep 17 00:00:00 2001 From: Shuran Huang Date: Tue, 25 Jul 2023 14:30:06 +0000 Subject: [PATCH 21/21] Resolve comments --- storage-access.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index c5ee737..db9eef4 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -161,7 +161,7 @@ When invoked on {{Document}} |doc|, the ha 1. Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from the [=top-level origin=] of |doc|'s [=relevant settings object=]. 1. Let |embeddedSite| be the result of [=obtain a site|obtaining a site=] from |doc|'s [=Document/origin=]. 1. Run the following steps [=in parallel=]: - 1. Let |whether the user agent explicitly allows unpartitioned cookie access| be an algorithm that, given a [=tuple=] |tuple| consisting of [=sites=], runs the following steps. This algorithm returns "`none`", "`allow`" or "`disallow`". + 1. Let |whether the user agent explicitly allows unpartitioned cookie access| be an algorithm that, given a [=tuple=] |tuple| consisting of two [=sites=], runs the following steps. This algorithm returns "`none`", "`allow`" or "`disallow`". Note: A user agent's settings might explicitly allow or disallow unpartitioned cookie access through per-site allow-lists, the user changing global browser settings, or similar custom overrides. @@ -169,7 +169,6 @@ When invoked on {{Document}} |doc|, the ha 1. If the user agent's settings explicitly allow unpartitioned cookie access for |tuple|, return "`allow`". 1. If the user agent's settings explicitly disallow unpartitioned cookie access for |tuple|, return "`disallow`". 1. Let |explicitSetting| be the result of determining |whether the user agent explicitly allows unpartitioned cookie access| with (|topLevelSite|, |embeddedSite|). - 1. Let |permissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. [=Queue a global task=] on the [=permissions task source=] given |global| to: 1. If |explicitSetting| is "`disallow`", [=/resolve=] |p| with false. 1. If |explicitSetting| is "`allow`", [=/resolve=] |p| with true. @@ -179,6 +178,7 @@ When invoked on {{Document}} |doc|, the ha ISSUE: "same authority" here is a placeholder for a future concept that allows user agents to perform [=same site=] checks while adhering to additional security aspects such as the presence of a cross-site parent document, see [whatwg/storage#142](https://github.com/whatwg/storage/issues/142#issuecomment-1122147159). In practice, this might involve comparing the [=site for cookies=] or performing a [=same site=] check with the top-level document. + 1. Let |permissionState| be the result of [=getting the current permission state=] given "storage-access" and |global|. 1. If |permissionState| is [=permission/granted=], [=/resolve=] |p| with |global|'s [=environment/has storage access=]. Note: The global storage access permission state takes precedence over the local [=environment/has storage access=] flag here, in order to immediately reflect a possible user choice to revoke the permission in their settings.