Update Storage Access API content #26558

chrisdavidmills · 2023-05-03T14:11:16Z

Description

This PR updates the documentation for the Storage Access API, which is being shipped in Chrome 113. In particular I:

Added a storage-access permissions-policy directive page
Added an entry for it on permissions-policy main page
Updated description of sandbox="allow-storage-access-by-user-activation" to make it a little clearer
Updated wording on requestStorageAccess() page to make usage a bit clearer, include information about Permissions-Policy, and make the security information more standard MDN style.
Included exceptions information on hasStorageAccess()/requestStorageAccess()
Updated main Storage Access API page to include information on latest spec behavior and try to make sense of the browser differences and different security mechanisms
Checked the "Using" guide, and made some improvements

See my research document for the overall details of what this project entails.

Motivation

Additional details

Related issues and pull requests

github-actions · 2023-05-03T14:13:16Z

Preview URLs (8 pages)

Flaws (44)

Note! 6 documents with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access
Title: Permissions-Policy: storage-access
Flaw count: 1

bad_bcd_queries:
- No BCD data for query: http.headers.Permissions-Policy.storage-access

URL: /en-US/docs/Web/API/Document
Title: Document
Flaw count: 43

macros:
- /en-US/docs/Web/API/HTMLAllCollection does not exist
- /en-US/docs/Web/API/Document/height redirects to /en-US/docs/Web/API/Element/clientHeight
- /en-US/docs/Web/API/Document/width redirects to /en-US/docs/Web/API/Element/clientWidth
- /en-US/docs/Web/API/Document/xmlStandalone does not exist
- /en-US/docs/Web/API/Document/captureEvents does not exist
- and 38 more flaws omitted

External URLs (3)

URL: /en-US/docs/Web/API/Storage_Access_API
Title: Storage Access API

https://blog.mozilla.org/en/mozilla/firefox-androids-new-privacy-feature-total-cookie-protection-stops-companies-from-keeping-tabs-on-your-moves/ (1 time) (Note! This may be a new URL 👀)
https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/ (2 times) (Note! This may be a new URL 👀)
Improving the Storage Access API security model privacycg/storage-access#113 (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2023-05-16 08:50:28)

chrisdavidmills · 2023-05-09T10:19:05Z

Note: Tech reviewed by Chris Fredrickson from the Chromium engineering team (he chose to give me feedback via email); updates made.

files/en-us/web/api/document/hasstorageaccess/index.md

files/en-us/web/api/document/requeststorageaccess/index.md

files/en-us/web/api/storage_access_api/using/index.md

files/en-us/web/api/storage_access_api/index.md

files/en-us/web/api/storage_access_api/using/index.md

cfredric · 2023-05-15T20:09:22Z

LGTM, thank you!

files/en-us/web/api/document/hasstorageaccess/index.md

files/en-us/web/api/document/requeststorageaccess/index.md

files/en-us/web/api/storage_access_api/index.md

files/en-us/web/api/document/hasstorageaccess/index.md

files/en-us/web/api/document/requeststorageaccess/index.md

files/en-us/web/api/storage_access_api/using/index.md

bsmth

A couple of comments and fixes outstanding, but otherwise looks good, tnx 👍🏻

Co-authored-by: Brian Thomas Smith <[email protected]>

jonkoops · 2023-05-22T10:18:39Z

files/en-us/web/api/storage_access_api/using/index.md

-} else {
-  document.hasStorageAccess().then((hasAccess) => {
+async function handleCookieAccess() {
+  if (document.hasStorageAccess === null) {


@chrisdavidmills I am not quite sure this code is correct. If this API does not exist then this value would be undefined and not null. Am I missing something here?

Sidenote, I encountered this as we're trying to implement this API for Keycloak (keycloak/keycloak#19835).

Ooops, yes you are right. I am just attempting to show a basic member existence check.

Lets correct it in the docs? Or maybe it is better to make check !("hasStorageAccess" in document)?

And seems like storage-access permission is not supported in Safari. @jonkoops can you confirm it?

Oops, I forgot to fix this problem. See #27718

@teleginzhenya this is correct, the following code will throw an exception in Safari:

const permission = await navigator.permissions.query({ name: "storage-access", });

We recently had to fix this in Keycloak (keycloak/keycloak#21325). This also seems to affect older versions of Firefox. This should be wrapped in a try block.

Thanks @jonkoops ; I've updated #27718 to handle this

Update Storage Access API content

f2198bd

chrisdavidmills requested review from a team as code owners May 3, 2023 14:11

chrisdavidmills requested review from Elchi3 and schalkneethling and removed request for a team May 3, 2023 14:11

github-actions bot added Content:HTML Hypertext Markup Language docs Content:HTTP HTTP docs Content:WebAPI Web API docs labels May 3, 2023

chrisdavidmills added 2 commits May 9, 2023 08:18

Merge branch 'main' into storage-access-api-updates

1d53547

Making fixes for cfredric review comments

bfd3767

cfredric reviewed May 9, 2023

View reviewed changes

chrisdavidmills added 2 commits May 10, 2023 11:41

updates made according to cfredric review comments

7117d08

Merge branch 'main' into storage-access-api-updates

2b15d05

cfredric reviewed May 10, 2023

View reviewed changes

files/en-us/web/api/storage_access_api/index.md Outdated Show resolved Hide resolved

files/en-us/web/api/storage_access_api/index.md Outdated Show resolved Hide resolved

files/en-us/web/api/storage_access_api/using/index.md Outdated Show resolved Hide resolved

chrisdavidmills added 2 commits May 15, 2023 15:55

2nd round of fixes for cfredric comments

7ef34df

Merge branch 'main' into storage-access-api-updates

24de9b8

Merge branch 'main' into storage-access-api-updates

b87a5bf