What is the state of third party storage today in the various browsers? #12
Comments
|
Safari partitions storage, but blocks cookies, as I understand it. When you say storage do you mean both of those? For Firefox we are experimenting with partitioning both for the majority of third party sites (see https://groups.google.com/d/msg/mozilla.dev.platform/f2_hLdfsbq4/lNjFpEZPAgAJ). The hope is that this is more compatible than blocking. (I agree that blocking is attractive though, see also #7/#9.) |
|
Sorry, thought I had replied earlier but I wound up losing the tab before submitting. Thanks for your response. I was referring more to the non-cookie storage mechanisms. Safari has since posted what they do with their storage which is super handy. It looks like localStorage is both partitioned and ephemeral, while the rest is just partitioned. My general thought is that partitioning is safest, and likely the way to go. I just wanted to verify that other browsers were also headed in that direction before doing so, as it's a lot of work. I'm still tempted to provide a subset (or even possibly a new) storage API specific to 3p contexts if other browsers were interested in that. |
|
The model Firefox envisions is partitioned storage for third parties that can transition to non-partitioned storage when a third party is granted the storage-access permission. For both cookies and storage. The way I see that transition working model-wise is through replacement: whatwg/storage#88. Which I'd like to to behave similarly to |
|
I chatted briefly with @erik-anderson about Edge's current state. They're currently denying storage to tracker sites and enabling it on storage access grant. Not sure what their long term strategy is though. |
|
Ah yeah, other browsers have something akin to that too for trackers, but it's not clear that approach scales well to all third parties. Hence the model I mentioned above. |
erik-anderson
added
the
agenda+
|
@jkarlin A quick clarification, would blocking the third party storage or cookies on Incognito Mode have an impact on the user experience? I think this would be good for the user privacy. |
|
As an update, it seems there is relatively wide buy-in now across implementers for attempting to give third parties (partitioned) storage capabilities by default. Cookies are tricky: #15. And whether and how to transition from partitioned to non-partitioned is still to be discussed, but some experiments are ongoing. (See also earlier links to the Storage Standard repository issues.) |
TanviHacks
removed
the
agenda+
|
If its of use, Brave currently blocks all 3p storage (network cookies, but also all other storage in frames). We are moving though (w/in months) to giving all 3p frames dual key'ed storage, life-timed under the 1p frame. We're also considering storage access API to give frames unpartitioned storage, but this is still being experimented with. |
|
We had a TPAC breakout session on the topic, minutes are at https://docs.google.com/document/d/13oqM9AUnItnDw02zsvpT3DdYYOpIpl0_eTcnbS8rjUY/edit# (which links to some slides). |
Chrome now blocks third-party storage in incognito mode.
I believe Firefox blocks third-party storage for sites on the tracking list.
I don't know what Safari does today.
I don't know what Edge does today.
It's obviously much easier to simply throw on third-party storage access and then fill in unpartitioned storage once requestStorageAccess resolves. Do we have good reasons not to simply do that? Or perhaps we could provide a single partitioned storage mechanism, but not all of them.
The text was updated successfully, but these errors were encountered: