allow "requestStorageAccess" in sidebar application for secure cookie handling
投稿日時:2023年2月02日
Our Zendesk Marketplace application ("Git-Zen") relies on cookies; since Zendesk places the app in an IFRAME, the cookies are designated as third-party. Most browsers can handle this by allowing our domain in the browser settings; however, Safari (webkit) users do not have this as an option.
Current best practices dictate that document.requestStorageAccess() is used for this purpose (https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess); however, in order for this to be used, the "sandbox" attribute of the IFRAME must have the "allow-storage-access-by-user-activation" token included. This token simply allows the user to decide whether cookies will be permitted for a specific purpose.
Aside from having this token added to the sandbox parameter, there is no other secure way to allow Safari/webkit users to make use of our system without requiring them to allow all third-party cookies, which is obviously something that they should not have to do.
This should be a very simple enhancement to put in place; is this something that is planned to be added, and/or what is the recommended practice for handling this scenario until this can be added (or instead of, if this is not something that Zendesk will add)?
Thank you!
1
17件のコメント
Zach Anthony
It turns out that we did in fact release support for this today, hope this helps with everyone's use cases.
0
Megumi Nakamura
I found "allow-storage-access-by-user-activation" is already allowed at iframe of Zendesk app.
Thank you.
0
Megumi Nakamura
Thanks Zach
0
Zach Anthony
Hi Megumi, we're in the final stages of testing and plan to release this in the coming weeks. With respect to Google's Privacy Sandbox initiative, however, from what we have understood:
Hope this helps!
0
Megumi Nakamura
Hi 1264663898009
Is there any update to this issue?
I'd like to know how we have to take action to Chrome 3rd party cookie phase out.
https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/
0
Megumi Nakamura
Hi Zach, Thanks for update! Please let us know if the schedule fixed. Thank you.
0
Zach Anthony
Hi Megumi, apologies for the lack of updates on this post. This has been on our backlog for some time, however we are planning to actively work on this in the current quarter
0
Megumi Nakamura
Hello Zach, I'd like to know when the "allow-storage-access-by-user-activation" is added to the iframe sandbox attribute. Is it already scheduled?
0
Zach Anthony
Hey Benoit, I understand that it's been a little while since I last updated this thread. I'll be sure to come back to this thread and provide an update when I have some progress to share. At this stage we're currently working through our internal processes to assess the implications of enabling this permission for app developers.
1
Benoit Ranque
Hi Zach Anthony, where can I follow progress on this?
It is also an issue for our private application. Users will be able to manually work around it in some browsers, but this is not ideal.
Regards
Benoit
0
サインインしてコメントを残してください。