-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie blocked when accessing application site deployed in different domain from Parent site in different domain #324
Comments
Hi Team, Could you please update on this? |
Since you own both of these domains, its possible related website sets (RWS) and storage access API (SAA) might be a solution. See references to these here: |
Regarding related website sets , can we add just the domains for promary and releated parties. For example,
in this case , shall we define RWS as { Another thing, after updating in RWS also, we still need to use Storage Access API for allowing cookies? One more thing on testing, When i test our application with just the Flag enabled Test Third Party Cookie Phaseout everything is working. But when i test with Chrome/setting/Block third party cookies it is not allowing to add cookies. What is the right way of testing? Why the app is able to set the cookie with out any issue with Flag enabled Test Third Party Cookie Phaseout ? |
Storage access API is necessary even with RWS, but the RWS entry should make it auto-grant without any user prompt. Regarding the cookie phaseout flag and the older "block 3P cookies" setting in chrome, see this documentation: https://developers.google.com/privacy-sandbox/3pcd/prepare/test-for-breakage#flags_and_settings Essentially, block 3P cookies is a more strict control which excludes a number of the newer mechanisms that allow 3P cookies. I will have to defer to my colleagues on the RWS question. |
That looks reasonable to me (assuming you supply a real contact email address), from the RWS perspective. There are still some technical requirements that will be checked when you open a pull request on the RWS repository, though.
Yes, either |
Hi Team, Thanks for the details. I want to understand more on RWS, Since this is public REPO, all our domains are visible to everyone right? what are the security measures around this? is there a way to hide these for other users? Also is this the go forward for all organizations, who wants to share cookies to their internal subdomains launching as top-level site? |
Yes, if you want all Chrome clients to be aware of your RWS, then it has to be public information. Re: security, RWS is designed to uphold existing security boundaries on the web (e.g. the Same Origin Policy). If you find a way that RWS regresses security, please let us know.
If you only need to make your RWS available to your organization, you can use a Chrome Enterprise Policy to do so, specifically RelatedWebsiteSetsOverrides. This allows your enterprise to avoid exposing the domains within its intranet.
This is one option, which may or may not work for your use case. You may also use the Storage Access API (without RWS), or try adopting other technologies like CHIPS, Private State Tokens, Shared Storage, Fenced Frames, Federated Credentials Management API, etc. Please see https://privacysandbox.com/intl/en_us/open-web/#proposals-for-the-web for more information.
Note that it's possible to share cookies between subdomains of a given site already, without adopting any of the Privacy Sandbox proposals. You can use the |
Hi Chris, We are already using domain attribute and able to share the cookie to subdomains till now. But in this case with third party cookie phaseout, since our primary site is in different domain and child iframes are in different domain (app domain), first we are unable to register cookies. Post adding partitioned tag( with response header of cookie register), we are able to register cookies. But these cookies are not shared when we access child iframe url's (app domain url's) in new window tab / popups. our cookie is more of SSO token for single sign on when users launch our app domain url's in new tab. |
Got it, thanks for that detail. In this case, yes, I believe something like RWS or FedCM is your easiest option. What you are looking for is a way to (unobtrusively) convey the user's identity as they navigate from one site to another, which unfortunately is exactly what pervasive tracking tries to do. This is why the options available to you are limited: RWS only allows a limited number of top-level sites; FedCM and SAA require asking the user for permission. |
Hi Fedric, I have tried using the storage access API and got popup to allow. Post allowing, we tried launching one of the embedded site requests (app domain) which should register the unpartitioned cookie with parent site, but it is unable to register. could you please help us how to fix this? |
I unfortunately don't have enough information in this thread to know what isn't working. I recommend opening Chrome DevTools and checking the Network tab to see why those unpartitioned cookies are being blocked. (If you are seeing and accepting the Storage Access API prompt, and the cookies are still blocked, then the cookies must be blocked by something else.) |
Can you confirm that when you launch the embedded site, the embedded site also calls If the iframe is already calling
|
Hi Chris, I have included the code to call document.requestStorageAccess() in the child iframe , but still we are unable to set the cookie or access the cookie. We dont have any settings or policy under chrome://settings/cookies , except third party cookie clocked. |
Can you provide a reproduction case so I can debug this myself? |
Hi Chris, Here is our case.
|
Thanks for the details, but you don't mention calling Alternatively, you can check out https://storage-access-api-demo.glitch.me/ and try to see what those pages do differently from your app. |
I have called document.requestStorageAccess() when first time Iframe launching with user interaction to allow. After that called again, when user launching an application page frame. |
Hi Chris, Let us know if we can have a meeting tomorrow to debug the issues. |
Unfortunately not. I'd recommend looking at https://storage-access-api-demo.glitch.me/ or https://rws-member-1.glitch.me/request-storage-access.html to see how |
Hi Chris, We have already looked at above links, but still cookie is not sending through the request. Also, privacycg/CHIPS#82 is the issue what we are facing exactly. Either Partitioned cookies need to be shared to Window.opener or StorageAccess API need to send unpartitioned cookies as request headers. Seems StorageAccess API is not working as expected with request , response headers. |
Hi @cfredric Could you please clarify on the below issues related to Storage access API's?
OVR:1 requestStorageAccess: Request denied because the embedded site has never been interacted with as a top-level context We have clicked on the window open link which opens the embedded site in new tab since there is no cookie share it will fail. Then we have refreshed the site again, the prompt came to allow cookies or not. How the browser tracks whether user interacted or not? is this expected behavior with SAA? If yes, this will break user experience and how do we make the prompt to allow cookies always comes.
|
Hey @srilakshmi-devarapalli-by, I think most of the info you're looking for is explained on https://github.com/cfredric/chrome-storage-access-api?tab=readme-ov-file#chrome-specific-behavior. Briefly:
|
Hi @cfredric Regarding The allow cookies prompt is coming only when user click on button. Is there a way to make this prompt during page load? without user interaction? No, there is no way to avoid that requirement Today many public sites when we just lunch itself, we are getting prompt to accept cookies or not. Why we need again user action here (to click on some button to get prompt)? This breaks the regular user flows as we need to add the call to storage access Api for all IFrames. |
Are you asking why the prompt requires a user gesture first? That is a standard requirement for most permission prompts. If you're asking why you need to show both a permission prompt and a cookie consent banner -- I'm not a lawyer, but my understanding is that some cookie consent banners satisfy legal requirements placed on websites in some jurisdictions. The browser's permission prompt is not related to that.
To be clear:
|
No further replies in nearly two months so I'll close this, but feel free to reopen if necessary. |
We have a first party site (https://company.net/) and it has an embedded application site (https://app.com/cognos) both are owned by us but deployed on different domains.
When we launch the application site first time as an iframe url, with response header we add a sso cookie to the browser.
Issue1 - If we set Block third-party cookies from chrome://settings/cookies, we are unable to register the application cookies with parent site.
Issue2 - If we use partitioned tag, we are able to register cookie with parent site. But we have a use case where we will open the application site urls https://app.com/cognos directly in new tab. In this case the SSO cookies are not shared and authentication failed.
Could you please let us know how to fix this scenario?
Another thing, with new chrome browser we are seeing one warning message for our application cookies as - Cookie is blocked because it path (for example /cognos/bi/v1) was not same for or match with its superdirectory of request URL's path. How to fix this?
The text was updated successfully, but these errors were encountered: