allow "requestStorageAccess" in sidebar application for secure cookie handling
Our Zendesk Marketplace application ("Git-Zen") relies on cookies; since Zendesk places the app in an IFRAME, the cookies are designated as third-party. Most browsers can handle this by allowing our domain in the browser settings; however, Safari (webkit) users do not have this as an option.
Current best practices dictate that document.requestStorageAccess() is used for this purpose (https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess); however, in order for this to be used, the "sandbox" attribute of the IFRAME must have the "allow-storage-access-by-user-activation" token included. This token simply allows the user to decide whether cookies will be permitted for a specific purpose.
Aside from having this token added to the sandbox parameter, there is no other secure way to allow Safari/webkit users to make use of our system without requiring them to allow all third-party cookies, which is obviously something that they should not have to do.
This should be a very simple enhancement to put in place; is this something that is planned to be added, and/or what is the recommended practice for handling this scenario until this can be added (or instead of, if this is not something that Zendesk will add)?
Thank you!
-
Hey there,
This is a great question, I've passed it along to our product team and will let you know what they say in the coming days.
Thanks!
-
Thanks Eric!
-
Hi there,
Thanks for the feedback. Support for this permission to be provided to apps is not currently on our roadmap, but it is something I'm happy to take on board to investigate the feasibility of. It would be great to understand though, what type of information are you storing in cookies for your app?
-
Thank you Zach! It is simply our authentication cookie; the cookie maintains session for our users within the application.
-
Hi Eric Nelson Zach Anthony I just want to chime in on this request and say that the changes to 1st part cookie storage rules have more or less locked our team into using Firefox with some essential internal tooling we developed for Zendesk.
We'd love for this permission to be added to the sandbox property for iframes, even if it's just available for private apps.
Given that the request itself requires 1) user interaction, 2) some kind of consent to move forward I feel as though the inclusion of the permission is fairly safe. Especially when you couple it with CORS restrictions.
I've escalated our request to our AE Sara Baca but would love the opportunity to discuss this further as we've got a build waiting to be deployed as a private app that is just waiting on these permissions. -
Hi Nick, thanks for reaching out. Enabling apps to be able to use the Storage Access API has been logged as a feature request. While it hasn't been prioritized as yet, I will co-ordinate with your account executive to discuss further how we might be able to expedite this, since it has become a blocker for your private app deployment
-
Thanks Zach Anthony - looking forward to it
-
Hi Zach Anthony, where can I follow progress on this?
It is also an issue for our private application. Users will be able to manually work around it in some browsers, but this is not ideal.
Regards
Benoit -
Hey Benoit, I understand that it's been a little while since I last updated this thread. I'll be sure to come back to this thread and provide an update when I have some progress to share. At this stage we're currently working through our internal processes to assess the implications of enabling this permission for app developers.
Iniciar sesión para dejar un comentario.
9 Comentarios