-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Way to know who to prompt for storage access in the first place #8
Comments
I agree with @kushal. We also operate a subscription service and would like to know before requesting access that the user might have cookies.
Actually it looks like that's how it works in Safari. @johnwilander said
Would Firefox be open to doing the same? |
For reference, the WebKit folks wrote up a strawman proposal: IsLoggedIn via #2 (comment) |
I think IsLoggedIn is a good idea overall, but one very minor concern I have is that it's a little easier to use it in a way that could be abused, than it is to use it in a defensive way. Specifically, it's easy to write the 3P iframe script to check if It could turn out that this isn't an issue in practice—maybe 3P iframe scripts will usually require an API token from the 1P; or maybe 3P iframe scripts usually won't communicate logged-in status to the 1P in the first place, they just show or don't show a Log In button, and the only indication of whether login was one-click or required a popup is the delay from mouseenter over the iframe to successful login being reported to the 1P (which, due to user interaction requirement, couldn't be realistically collected into a fingerprint). I don't have any particularly clever ideas for how to address my concern. The obvious idea that occurs to me is to add a required argument to (I initially thought of just If there are better ideas, I'd love to hear them? |
Allowing |
@othermaciej It would just be 1 bit of fingerprinting info per cooperating 3P (or 3P that fails to validate the containing 1P) on which the user had manually clicked Yes on the permission dialog, right? |
I'll add my own story from the field (ex-Apple here! hi! 👋) . I'm having great difficulty creating a good user experience in the context of Storage Access without something like this API. My use case is congruent to the social commenting widgets. Once a user's begun an interaction with the 3P, they must authenticate to complete that interaction. It's possible that they've already authenticated, but we can't tell because storage access is restricted. Probably we want to do something like: first To label a button "Sign in" would be confusing because it may not actually ask the user to sign in! Instead it might present the We could label such a button "Connect to XXX," and then the interaction would be less surprising, but the worst-case double-interaction is still awfully rough. It would be a much smoother experience if we could Another strategy (which I suspect you all won't like!) would be an API which would allow the 3P to determine if In any case, thank you all for what you're doing to protect users' privacy. There are some UI edge cases to work out here, but those are secondary to this important work. |
@andymatuschak In case you haven't seen it, I think @johnwilander's comment on a precursor ticket applies to your case:
Also, I'm not sure about this:
When they click "Sign in", wouldn't you still have to |
Yep, it does! Thank you for the pointer. In my case, I'm very happy to build the UI around this spec and its restrictions. The problem is that even in this greenfield context, I'm not sure how to build a good experience! But it's good to see @johnwilander open to
If |
But if you don't |
Ah, so, I present my login UI in a popup window (now first-party, navigated to my origin). The login request is made in that context, so the |
One more thought, which could partially mitigate the privacy concerns: in terms of making a good user experience, it'd be fine if |
Oh sorry, when you said "open the login UI directly" I thought that meant there would be a login form directly inside the iframe. If you open your login UI in a popup, I think the compatibility measure means that you actually should have cookie access, even without
To clarify, if this were the case, then you would not be able to "clearly label the button as either "Connect to XXX" in the case of Instead you would use It seems that the double-interaction of the permission prompt followed by a login popup is intentionally encouraged by design: https://github.com/privacycg/storage-access#the-user-is-not-yet-logged-in-to-the-embedee I think you could actually avoid this double-interaction, though, by using the compatibility measure: instead of bothering with That's probably a bad sign for the design of this API, if the legacy flow is better for developers than the intended use of this API. |
Right, but I'm going the more baroque server-cookie +
I'm sort of lucking out here, I guess. In my UI, it wouldn't make sense to present authentication UI until the user had already interacted. So I'd have a chance to silently check Then, if
Yikes. You're right, the double interaction is implied by that answer. That's an unacceptable user experience in my book, particularly since it's in the extra-sensitive onboarding path, and I'll certainly go to enormous lengths to avoid it.
That seems true! But involving a popup in every session—including the common-case happy path—is also unacceptable UX in my mind. Popups are quite disorienting and add a lot of friction. I definitely wouldn't use a popup at all if not for the 1P interaction requirement (I'd embed the login UI inline). I'd really like to create a zero-interruption "happy path" when users are signed in and have authorized storage access. ~ FWIW, the UX impact here is so onerous that I've resigned myself to building a Safari Extension to ensure my users can avoid these frictions. Of course, many won't install it, so I still want to make the extension-less case as smooth as possible. |
Re: WICG/first-party-sets#53 (comment) One use case I can think of: A settings screen that stores users preferences, but if storage requires a pop up, simply store the preferences in memory rather than in persistent storage. I realise that this can currently be achieved using |
The conditionally-show-some-UI use case (e.g. |
(carrying this over from discussion started here and ended here)
Although this proposal aims to solve problems like "Subscribed video service," in practice it's unlikely that a service would want to prompt every single user for storage access when they click the play button just to find the fraction of users paying for ad-free access or hoping to include the video in their browsing history.
Similarly, part of the solution for "Social commenting widgets" not appearing be constantly logging you out (as discussed here) is to at least signal the user is one tap away from recustomizing the widget or writing a comment on a given site without distracting or making false promises to anybody else.
And for federated login / alternative billing services such as ours, we'd like for partners to be able to prominently remind our logged-in users to trigger storage access on their site without distracting visitors who do not have (already-logged-in) accounts.
For all of these use cases, it seems like we need some notion of isLoggedIn or trust tokens or explicit user permission to make storage access a viable, user-friendly solution. It sounded like this would end up being a separate proposal from Storage Access itself but at some level feels critical to cementing the plan for storage access.
The text was updated successfully, but these errors were encountered: