Thanks both! We had some bandwidth issues on the editor's side with TPAC and other meetings going on, but I'm working with Chris to get this reviewed and merged now.
On Thu, Oct 10, 2024 at 9:12 PM Domenic Denicola <dome...@chromium.org> wrote: > LGTM2. Please work to get the spec PR landed as soon as possible. > > On Thursday, October 10, 2024 at 6:27:15 AM UTC+9 Alex Russell wrote: > >> LGTM1 >> >> On Monday, October 7, 2024 at 10:24:01 AM UTC-7 Chris Fredrickson wrote: >> >>> Yes, we ran an OT with 15+ registrants. The feedback we got was positive >>> - that this feature allowed for better UX via a context-specific FedCM >>> prompt, rather than the generic Storage Access API prompt. >>> >>> One piece of feedback we got on the API was a question on whether >>> `navigator.credentials.preventSilentAccess()` should or should not >>> "disable" access via the Storage Access API. That said, they didn't have a >>> strong opinion either way at the moment. We've added metrics >>> <https://crsrc.org/c/chrome/browser/storage_access_api/storage_access_grant_permission_context.cc;drc=dab95e5948233f94cf75134d6acc08db2af4e62c;l=252> >>> to see if this question needs to be revisited in the future, but for now >>> would like to ship the conservative approach >>> <https://github.com/explainers-by-googlers/storage-access-for-fedcm/issues/1#issuecomment-2318722185>. >>> (Note that we could backward-compatibly relax this decision in the future, >>> if needed.) >>> >>> Re: reviewing the spec PR, it'd be nice to review/merge the PR, I'll >>> work with the editors as soon as they have bandwidth to review. In the >>> meantime, I'd like to provide to users the well-let path that supports the >>> use cases identified in the explainer sooner rather than later, to give >>> sites as much time as possible to adopt new features before 3P cookies >>> become less available in Chrome. >>> >>> On Monday, October 7, 2024 at 12:40:26 AM UTC-4 Domenic Denicola wrote: >>> >>>> From what I understand this had an Origin Trial. Did you get any >>>> results you are able to share from the trial? >>>> >>>> On Thu, Oct 3, 2024 at 2:48 AM Chris Fredrickson <cfred...@chromium.org> >>>> wrote: >>>> >>>>> Contact emails >>>>> >>>>> johann...@chromium.org, cfred...@chromium.org, y...@chromium.org >>>>> >>>>> Explainer >>>>> >>>>> https://github.com/explainers-by-googlers/storage-access-for-fedcm >>>>> >>>>> Specification >>>>> >>>>> https://github.com/privacycg/storage-access/pull/206 >>>>> >>>> >>>> It isn't required, but is there a chance this PR could get at least >>>> reviewed, and ideally merged, before we ship? I realize that the Mozilla >>>> standards position only became positive last week, but with that in hand I >>>> think merging should be possible, right? >>>> >>>> >>>>> >>>>> Summary >>>>> >>>>> Reconciles the FedCM and Storage Access APIs by making a prior FedCM >>>>> grant a valid reason to automatically approve a storage access request. >>>>> >>>>> When a user grants permission for using their identity with a 3rd >>>>> party Identity Provider (IdP) on a Relying Party (RP), many IdPs require >>>>> third-party cookies to function correctly and securely. This proposal aims >>>>> to satisfy that requirement in a private and secure manner by updating the >>>>> Storage Access API (SAA) permission checks to not only accept the >>>>> permission grant that is given by a storage access prompt, but also the >>>>> permission grant that is given by a FedCM prompt. >>>>> >>>>> A key property of this mechanism is limiting the grant to cases >>>>> explicitly allowed by the RP via the FedCM permissions policy, enforcing a >>>>> per-frame control for the RP and preventing passive surveillance by the >>>>> IdP >>>>> beyond the capabilities that FedCM already grants, as outlined in the >>>>> Privacy >>>>> Considerations >>>>> <https://github.com/privacycg/storage-access/blob/main/explainers/storage-access-for-fedcm.md#privacy-considerations> >>>>> . >>>>> >>>>> >>>>> Blink component >>>>> >>>>> Blink>StorageAccessAPI >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorageAccessAPI> >>>>> >>>>> TAG review >>>>> >>>>> https://github.com/w3ctag/design-reviews/issues/992 >>>>> >>>>> TAG review status >>>>> >>>>> Pending >>>>> >>>>> Chromium Trial Name >>>>> >>>>> FedCmWithStorageAccessAPI >>>>> >>>>> Origin Trial documentation link >>>>> >>>>> https://github.com/explainers-by-googlers/storage-access-for-fedcm >>>>> >>>>> WebFeature UseCounter name >>>>> >>>>> kFedCmWithStorageAccessAPI >>>>> >>>>> Risks >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> None >>>>> >>>>> >>>>> Gecko: Positive ( >>>>> https://github.com/mozilla/standards-positions/issues/1065) >>>>> >>>>> WebKit: No signal ( >>>>> https://github.com/WebKit/standards-positions/issues/390) >>>>> >>>>> Web developers: Positive ( >>>>> https://github.com/w3c-fedid/FedCM/issues/467#issuecomment-1735911894) >>>>> >>>>> Other signals: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> None >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> This feature requires that the identity-credentials-get permissions >>>>> policy is provided. >>>>> >>>>> - >>>>> >>>>> If the policy is not provided, document.requestStorageAccess() >>>>> falls back to its normal control flow (i.e. checking for a user >>>>> gesture, >>>>> checking for RWS autogrant, checking for a previous top-level >>>>> interaction, >>>>> and finally showing a prompt). >>>>> - >>>>> >>>>> If a policy is provided but misspelled, Chrome prints >>>>> "Unrecognized feature: <feature name>." in the console. >>>>> >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? >>>>> >>>>> No >>>>> >>>>> FedCM and Storage Access API are not supported on Android WebView. >>>>> >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? >>>>> >>>>> Yes >>>>> >>>>> >>>>> https://wpt.fyi/results/fedcm/fedcm-storage-access-api-autogrant.tentative.https.sub.html?label=experimental&label=master&aligned >>>>> >>>>> (WPTs are currently failing on wpt.fyi due to an unrelated error that >>>>> we're fixing.) >>>>> >>>>> Flag name on chrome://flags >>>>> >>>>> fedcm-with-storage-access-api >>>>> >>>>> Finch feature name >>>>> >>>>> FedCmWithStorageAccessAPI >>>>> >>>>> Requires code in //chrome? >>>>> >>>>> True >>>>> >>>>> Estimated milestones >>>>> >>>>> Origin trial desktop first >>>>> >>>>> 126 >>>>> >>>>> Origin trial desktop last >>>>> >>>>> 131 >>>>> >>>>> Origin trial extension 1 end milestone >>>>> >>>>> 129 >>>>> >>>>> Origin trial extension 2 end milestone >>>>> >>>>> 131 >>>>> >>>>> DevTrial on desktop >>>>> >>>>> 125 >>>>> >>>>> Origin trial Android first >>>>> >>>>> 126 >>>>> >>>>> Origin trial Android last >>>>> >>>>> 131 >>>>> >>>>> DevTrial on Android >>>>> >>>>> 125 >>>>> >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> >>>>> None >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> >>>>> https://chromestatus.com/feature/5116478702747648?gate=5070701733347328 >>>>> >>>>> Links to previous Intent discussions >>>>> >>>>> Intent to Prototype: >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4iogs7O60r0YcVnDB5aCvs9WUYjWFcuHqcFi5bXLRBOig%40mail.gmail.com >>>>> >>>>> Intent to Experiment: >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9a75fe74-ca55-4ddc-93d7-120adfdee49en%40chromium.org >>>>> >>>>> Intent to Extend Experiment 1: >>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/LwgSKPBivuM/m/0dRsXWhBAgAJ >>>>> >>>>> Intent to Extend Experiment 2: >>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/LwgSKPBivuM/m/0dRsXWhBAgAJ >>>>> >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/5486dcaf-3ff6-4d97-a081-9626f97e2e03n%40chromium.org >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/5486dcaf-3ff6-4d97-a081-9626f97e2e03n%40chromium.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/92533e0a-f1ee-4d28-9831-f4c2c5bf4cfdn%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/92533e0a-f1ee-4d28-9831-f4c2c5bf4cfdn%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4ijrksVTkgyb_RSYgXwAH7CAfQ-sN2kEJkPvXPo5iYT8A%40mail.gmail.com.
