You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have an analytics product that accesses data sources directly from the browser via CORS Fetch/XHR requests.
This analytics product has scenarios in which it is embedded in another application.
When the analytics product then queries the business application (as the data source) it results in an "A - B - A" deployment:
The business application UI (A)
opens the analytics product in an iframe (B)
which accesses the business data via CORS Fetch/XHR requests to the business application server (A)
UI Embedding (A => B)
The analytics product is authenticated via SAML redirects to a common identity provider (with the assumption that the identity provider within the iframe will find its first party cookies, via requestStorageAccess if necessary).
Data Access (B => A)
For data access, the analytics product may open a pop-up against the business application to ensure that there is a session with the target system. In the embedded case, the pop-up can be omitted, or will immediately close due to the fact that A already has a valid first-party session cookie.
Then the actual data access happens via Fetch/XHR using CORS with Access-Control-Allow-Credentials. This expects that the first party session cookie (from the top-level business application) can be accessed from this third party context.
Discussion of Privacy Sandbox features
Partitioning the Business Application's cookies will break the data access. Even using mechanisms to propagate the authentication information into the partitioned context, it still results in two active sessions with the business application within one user workflow.
Storage Access API requires an unauthenticated document hosted by A and injected into a iframe within B. This is not trivial to implement due to the large number of business applications that would need to be revised. On top of that, the storage access request only applies to the iframe itself and not to any CORS requests made from B.
The storage access headers proposal does seem promising for this case, but it would need to lower overhead and ideally the storage access should be auto-granted given the fact that the same domain is at the top-level.
The text was updated successfully, but these errors were encountered:
We have an analytics product that accesses data sources directly from the browser via CORS Fetch/XHR requests.
This analytics product has scenarios in which it is embedded in another application.
When the analytics product then queries the business application (as the data source) it results in an "A - B - A" deployment:
UI Embedding (A => B)
The analytics product is authenticated via SAML redirects to a common identity provider (with the assumption that the identity provider within the iframe will find its first party cookies, via requestStorageAccess if necessary).
Data Access (B => A)
For data access, the analytics product may open a pop-up against the business application to ensure that there is a session with the target system. In the embedded case, the pop-up can be omitted, or will immediately close due to the fact that A already has a valid first-party session cookie.
Then the actual data access happens via Fetch/XHR using CORS with Access-Control-Allow-Credentials. This expects that the first party session cookie (from the top-level business application) can be accessed from this third party context.
Discussion of Privacy Sandbox features
The text was updated successfully, but these errors were encountered: