Recent searches


No recent searches

allow "requestStorageAccess" in sidebar application for secure cookie handling

Completed


Posted Feb 02, 2023

Our Zendesk Marketplace application ("Git-Zen") relies on cookies; since Zendesk places the app in an IFRAME, the cookies are designated as third-party.  Most browsers can handle this by allowing our domain in the browser settings; however, Safari (webkit) users do not have this as an option.

Current best practices dictate that document.requestStorageAccess() is used for this purpose (https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess); however, in order for this to be used, the "sandbox" attribute of the IFRAME must have the "allow-storage-access-by-user-activation" token included.  This token simply allows the user to decide whether cookies will be permitted for a specific purpose.

Aside from having this token added to the sandbox parameter, there is no other secure way to allow Safari/webkit users to make use of our system without requiring them to allow all third-party cookies, which is obviously something that they should not have to do.

This should be a very simple enhancement to put in place; is this something that is planned to be added, and/or what is the recommended practice for handling this scenario until this can be added (or instead of, if this is not something that Zendesk will add)?

Thank you!


1

17

17 comments

image avatar

Eric Nelson

Zendesk Developer Advocacy

Hey there,

This is a great question, I've passed it along to our product team and will let you know what they say in the coming days.

Thanks!

2


Thanks Eric!

1


image avatar

Zach Anthony

Zendesk Product Manager

Hi there,

Thanks for the feedback. Support for this permission to be provided to apps is not currently on our roadmap, but it is something I'm happy to take on board to investigate the feasibility of. It would be great to understand though, what type of information are you storing in cookies for your app? 

1


Thank you Zach!  It is simply our authentication cookie; the cookie maintains session for our users within the application.

1


Hi Eric Nelson Zach Anthony I just want to chime in on this request and say that the changes to 1st part cookie storage rules have more or less locked our team into using Firefox with some essential internal tooling we developed for Zendesk.

We'd love for this permission to be added to the sandbox property for iframes, even if it's just available for private apps.

Given that the request itself requires 1) user interaction, 2) some kind of consent to move forward I feel as though the inclusion of the permission is fairly safe. Especially when you couple it with CORS restrictions.

I've escalated our request to our AE Sara Baca but would love the opportunity to discuss this further as we've got a build waiting to be deployed as a private app that is just waiting on these permissions.

0


image avatar

Zach Anthony

Zendesk Product Manager

Hi Nick, thanks for reaching out. Enabling apps to be able to use the Storage Access API has been logged as a feature request. While it hasn't been prioritized as yet, I will co-ordinate with your account executive to discuss further how we might be able to expedite this, since it has become a blocker for your private app deployment

1


Thanks Zach Anthony - looking forward to it

0


Hi  Zach Anthony, where can I follow progress on this?
It is also an issue for our private application. Users will be able to manually work around it in some browsers, but this is not ideal.

Regards
Benoit

0


image avatar

Zach Anthony

Zendesk Product Manager

Hey Benoit, I understand that it's been a little while since I last updated this thread. I'll be sure to come back to this thread and provide an update when I have some progress to share. At this stage we're currently working through our internal processes to assess the implications of enabling this permission for app developers.

 

1


Hello Zach, I'd like to know when the "allow-storage-access-by-user-activation" is added to the iframe sandbox attribute. Is it already scheduled?

0


image avatar

Zach Anthony

Zendesk Product Manager

Hi Megumi, apologies for the lack of updates on this post. This has been on our backlog for some time, however we are planning to actively work on this in the current quarter

0


Hi Zach, Thanks for update! Please let us know if the schedule fixed. Thank you.

0


Hi Zach Anthony 

Is there any update to this issue?

I'd like to know how we have to take action to Chrome 3rd party cookie phase out.

https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/

0


image avatar

Zach Anthony

Zendesk Product Manager

Hi Megumi, we're in the final stages of testing and plan to release this in the coming weeks. With respect to Google's Privacy Sandbox initiative, however, from what we have understood:

Hope this helps!

0


Thanks Zach

0


I found "allow-storage-access-by-user-activation" is already allowed at iframe of Zendesk app.

Thank you.

0


image avatar

Zach Anthony

Zendesk Product Manager

It turns out that we did in fact release support for this today, hope this helps with everyone's use cases.

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post