Recent searches
No recent searches
allow "requestStorageAccess" in sidebar application for secure cookie handling
Posted Feb 02, 2023
Our Zendesk Marketplace application ("Git-Zen") relies on cookies; since Zendesk places the app in an IFRAME, the cookies are designated as third-party. Most browsers can handle this by allowing our domain in the browser settings; however, Safari (webkit) users do not have this as an option.
Current best practices dictate that document.requestStorageAccess() is used for this purpose (https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess); however, in order for this to be used, the "sandbox" attribute of the IFRAME must have the "allow-storage-access-by-user-activation" token included. This token simply allows the user to decide whether cookies will be permitted for a specific purpose.
Aside from having this token added to the sandbox parameter, there is no other secure way to allow Safari/webkit users to make use of our system without requiring them to allow all third-party cookies, which is obviously something that they should not have to do.
This should be a very simple enhancement to put in place; is this something that is planned to be added, and/or what is the recommended practice for handling this scenario until this can be added (or instead of, if this is not something that Zendesk will add)?
Thank you!
1
17 comments
Eric Nelson
This is a great question, I've passed it along to our product team and will let you know what they say in the coming days.
Thanks!
2
Acenerate Support
Thanks Eric!
1
Zach Anthony
Hi there,
Thanks for the feedback. Support for this permission to be provided to apps is not currently on our roadmap, but it is something I'm happy to take on board to investigate the feasibility of. It would be great to understand though, what type of information are you storing in cookies for your app?
1
Acenerate Support
Thank you Zach! It is simply our authentication cookie; the cookie maintains session for our users within the application.
1
Nick Meisenheimer
Hi Eric Nelson Zach Anthony I just want to chime in on this request and say that the changes to 1st part cookie storage rules have more or less locked our team into using Firefox with some essential internal tooling we developed for Zendesk.
We'd love for this permission to be added to the sandbox property for iframes, even if it's just available for private apps.
Given that the request itself requires 1) user interaction, 2) some kind of consent to move forward I feel as though the inclusion of the permission is fairly safe. Especially when you couple it with CORS restrictions.
I've escalated our request to our AE Sara Baca but would love the opportunity to discuss this further as we've got a build waiting to be deployed as a private app that is just waiting on these permissions.
0
Zach Anthony
Hi Nick, thanks for reaching out. Enabling apps to be able to use the Storage Access API has been logged as a feature request. While it hasn't been prioritized as yet, I will co-ordinate with your account executive to discuss further how we might be able to expedite this, since it has become a blocker for your private app deployment
1
Nick Meisenheimer
Thanks Zach Anthony - looking forward to it
0
Benoit Ranque
Hi Zach Anthony, where can I follow progress on this?
It is also an issue for our private application. Users will be able to manually work around it in some browsers, but this is not ideal.
Regards
Benoit
0
Zach Anthony
Hey Benoit, I understand that it's been a little while since I last updated this thread. I'll be sure to come back to this thread and provide an update when I have some progress to share. At this stage we're currently working through our internal processes to assess the implications of enabling this permission for app developers.
1
Megumi Nakamura
Hello Zach, I'd like to know when the "allow-storage-access-by-user-activation" is added to the iframe sandbox attribute. Is it already scheduled?
0
Zach Anthony
Hi Megumi, apologies for the lack of updates on this post. This has been on our backlog for some time, however we are planning to actively work on this in the current quarter
0
Megumi Nakamura
Hi Zach, Thanks for update! Please let us know if the schedule fixed. Thank you.
0
Megumi Nakamura
Hi Zach Anthony
Is there any update to this issue?
I'd like to know how we have to take action to Chrome 3rd party cookie phase out.
https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/
0
Zach Anthony
Hi Megumi, we're in the final stages of testing and plan to release this in the coming weeks. With respect to Google's Privacy Sandbox initiative, however, from what we have understood:
Hope this helps!
0
Megumi Nakamura
Thanks Zach
0
Megumi Nakamura
I found "allow-storage-access-by-user-activation" is already allowed at iframe of Zendesk app.
Thank you.
0
Zach Anthony
It turns out that we did in fact release support for this today, hope this helps with everyone's use cases.
0