Storage Partitioning in chrome breaks application functionality

[shravankm126]

Hi,

We have an application (https://abc.com) embedded in Salesforce.com using IFrames. Session details of our application are stored in both Local Storage and Cookies storage. For handling specific features, our embedded site opens a child window in which it establishes new connection with the same server( https://abc.com).

While creating new session inside childwindow, it access session details of first(IFrame) session from local storage and sends those details to server to create new session. This functionality works fine when storage partitioning is disabled. But when partioning is enabled chrome blocks data(Local Storage and Cookies) sharing between embedded site and childwindow. This breaks our application. Here IFrame and child-window has same domain and connecting to same server.

All we need is parent session details inside childwindow.

We have gone through some of Chrome 3PC deprecation documents and trying to solve with below approaches..

1. Using Related Website Sets.
2. Using Storage Access API
3. Using PostMessage() api to send parent session data from embedded site to childwindow.
4. Using IndexDB
5. Using Service Worker API

Could you please let us know if above appraches are good fit to this scenario or do you suggest any other alternate solutions for this usecase. Please let me know if you need more details.

Chrome Version: 126.0.6478.127

Thanks,
Shravan

[shravankm126]

Could anyone please provide suggestions on above query.

[cfredric]

Since you need your session details to be accessible when the user is visiting abc.com and when they visit salesforce.com, that means it is cross-site data. The proper way to access cross-site data is to use the Storage Access API. Please see the MDN documentation for how to use that API effectively.

In Chrome, you can use the Storage Access API to get access to unpartitioned IndexedDB, ShareWorkers, etc. (but not ServiceWorkers). See https://github.com/privacycg/saa-non-cookie-storage (and the spec) for details.

---

Alternatively, you may also use the FedCM API, since ultimately you are trying to use user identity in more than one place.

[shravankm126]

Hi,

Here application abc.com is integrated with Salesforce.com as third-party Iframe content.

The window which is spawned from Iframe(abc.com) will become new top-level window. This new window also tries to connect to same domain (abc.com) and for authentication purpose it is trying to access user session details which was already established in Iframe but unable to access due to storage partitioning enabled.

As per the documentation Storage Access API should be used in IFrames to allow access to storage, does the storage access api works in new top-level window to access storage from another top-level window ?

Do you mean to use Storage Access API along with Related-Website sets by grouping related domains in as below
{
"primary": "https://salesforce.com",
"associatedSites": ["https://abc1.com", "https://xyz.com"]
}

we are working on some sort of approach to handle this issue as chrome is enforcing storage partitioning by 3rd September 2024.

Thanks,
Shravan

[cfredric]

As per the documentation Storage Access API should be used in IFrames to allow access to storage, does the storage access api works in new top-level window to access storage from another top-level window ?

The Storage Access API provides access to unpartitioned storage, from within iframes or other "partitioned" contexts that don't otherwise have access to unpartitioned storage.

Top-level contexts are not partitioned, so they already have access to unpartitioned storage. That is, the top-level context can already access the same storage that the Storage Access API makes available to the iframe.

Do you mean to use Storage Access API along with Related-Website sets by grouping related domains

No, I imagine Salesforce has many tenants and it would not be possible to create a new RWS that contained salesforce.com as well as all of its tenants. Being in a RWS is not required in order to use the Storage Access API; any site can use that API.

[shravankm126]

Hi Chris,

We have gone through StorageAccess API and demos related to it https://storage-access-api-demo.glitch.me/

As I said the new window which is spawned from Iframe tries to access cookie/session data from previous session but blocked due to partitioning. My Intention was to set some cookies in unpartitioned storage and then access the same in newly launched top-level window.

Now to access unpartitioned storage from IFrame i have tried to call document.requestStorageAccess() but did not get any prompt and says permission denied.
According to documentation, requestStorageAccess() when called in IFrame will prompt user to allow or block access only if the user has already visited the embedded origin in a top-level context. Our application is embedded in Salesforce.com and it never launch the embedded origin as a top-level window upfront.

We want to understand how SAA we solve this kind of pratical usecases to access cross-site data, could you please suggest ?

Thanks,
Shravan

[cfredric]

Our application is embedded in Salesforce.com and it never launch the embedded origin as a top-level window upfront.

We want to understand how SAA we solve this kind of pratical usecases to access cross-site data, could you please suggest ?

I'd recommend launching the popup (and waiting for the user to interact with it) before trying to access unpartitioned storage from the cross-site embedded app. That way the user may understand why they might want to accept/reject your application's request for cross-site storage access.