This is great but I have a couple queries. > > In our implementation, once Storage Access API grants storage access, > all existing third-party iframes on the same first party will receive that > storage access, whereas in WebKit’s implementation they each would require > calling requestStorageAccess() separately. > - > Presumably this is restricted to iframes *of the same origin* on the same first party, i.e. if there are 2 iframes on different origins they would each still have to request storage access. Can you confirm this?
> > > We don’t necessarily believe that a model where the user is asked whether > they consent to sharing their data with third-party trackers is ideal, > because explaining the implications of the data sharing is very hard, and > there are many problems associated with asking for permission from the > user. But we are looking at this API as a programmatic hook into the point > in time when a third-party context would like to obtain full storage access > rights, which would allow the browser to perform various forms of > security/privacy checks at that time. Prompting the user is only one of the > options we’ve thought about so far. Note that the API limits granting > access only to callers coming at times when processing a user gesture. > The legal requirement in Europe is that storage can only be accessed if the user has unambiguously given their "freely given, specific & informed" consent. How will a European website top-level context (first-party) ensure that embedded third-parties will not be granted storage access without the user first being prompted? Thanks Mike _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
