On 2015-08-18 2:24 PM, David Illsley wrote:
Is this pref something that's exposed to users, or is it only
about:config (I can't seem to find any UI for it)?
It is. Go to Privacy, select "Use custom settings for history", and
under "Accept third-party cookies:" select Never. (We should probably
rename that to "Accept third-part cookies and data:".)
If so, this seems like a step away from being able to ever expose it as
more apps will be built assuming IndexedDB will be unconditionally
available in 3rd party iframes. This change would make the 'it breaks
the web argument' against exposing it stringer. From my perspective,
this would be undesirable.
Toggling that setting can already result in some websites not working.
And the problem that you are talking about exists today: currently
Firefox blocks IDB in third-party iframes by default and no other
browser does that, which will result in those apps to not work in
Firefox, and work in other browsers.
The correct ay to write such apps is to expect that storage may not be
available due to any number of reasons (for example, this setting being
turned on, or the page being loaded in private browsing mode, etc.) and
this is a step in trying to improve the current situation both for users
who have that setting turned on (we currently allow some forms of
storage in such iframes but not others) and those who have that setting
turned off (we currently disallow some forms of storage in such iframes
even if you don't have that setting turned on), and as such, it is an
improvement over the current situation.
On Tue, Aug 18, 2015, at 04:20 PM, Michael Layzell wrote:
Summary: Currently, there are inconsistent rules about the availability
of persistent storage in third-party iframes across different types of
storage (such as caches, IndexedDB, localstorage, sessionstorage, and
cookies). We are looking to unify these behaviors into a consistent set
of rules for when persistent storage should be available. We have
modeled this after our cookie rules, and now use the cookie behavior
preference to control third party access to these forms of persistent
storage. This means that IndexedDB (which was previously unconditionally
disabled in 3rd-party iframes) is now available in 3rd party iframes
when the accept third-party cookies preference is set to "Always". As
our current definition of accepting third-party cookies from "Only
Visited" makes no sense for non-cookie storage, we currently treat this
preference for these forms of storage as though the preference was
"Never".
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1184973
Link to standard: N/A.
Platform coverage: All platforms.
Target release: Firefox 43.
Preference behind which this will be implemented: None, although the
preference
"network.cookie.cookieBehavior" will be used to guide the behavior of
storage in third-party iFrames.
DevTools bug: N/A.
Do other browser engines implement this: Based on my quick testing:
Chrome uses it's third party preference to control access to
localStorage and sessionStorage, but not IndexedDB or caches. Safari
appears to use it's preference to control IndexedDB, but not
sessionStorage or localStorage. IE appears to only use its 3rd party
preference for cookies. All other browsers allow IndexedDB in 3rd party
iframes with default settings.
Security & Privacy Concerns: This changes how websites can store data on
the user's machine.
Web designer / developer use-cases: Previously, we had made IndexedDB
unavailable in 3rd-party iframes. Web developers will now be able to use
IndexedDB in 3rd party iframes when the user has the accept cookies
preference set to always.
Michael
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
