Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Auto-grant iFrame without requiring iFrame reload after grant #189

Open
jyjc opened this issue Nov 16, 2023 · 1 comment

Comments

@jyjc
Copy link

jyjc commented Nov 16, 2023

Google Support provides iFramed support experiences across Google products (Accounts, Blogger, Flights, Maps, YouTube, etc.). The authentication cookies are sent to the iFrame domain which are used to provide a more personalized support experience and to provide an option for users to attach their account information in Feedback reports and support tickets.

On Firefox 118 (and below) and Safari, when the user first authorizes access to allow “google.com” to use cookies from “youtube.com” (or other Google products hosted outside google.com and its subdomains), the iFrame window is reloaded to pass on the auth cookie to the server and request headers. This access is granted for google.com iFrames (even in the nested google.com iFrames within the support experience) so additional reload of the iFrame is not needed if the permission is auto-granted.

In contrast, on Chrome and Firefox 121+, we are required to reload all iFrames (even nested iFrames) when the frame is auto-granted access. When requestStorageAccess (rSA) is called, it grants the access for the iFrame but would require a reload of that frame to pass the auth cookies to the server. The support help panel has several nested iFrames which all require the same behavior as well. This results in increased server load (loading 2x / iFrame) and increased latency to when the user can access the support experience. Furthermore, the support iFrames are created and destroyed when the user opens/closes the frame. That means any time the user opens it again, we would have to load the contents twice.

Similarly, Country Code Top-Level Domains (CCTLDs) are also considered part of the Related Website Set (RWS) which has an rSA auto-grant; however, auto-grants have the above issue. That means the scope of the impact is drastically increased (google.co.jp, google.co.in, etc.) since it is considered outside the google.com domain.

The ideal solution would be to have a way to mitigate the reloads. One proposal is for the browser to recognize that the iFrame src has storage access to the parent page, then the browser can auto-grant access and pass the authentication cookies during the first iFrame load without requiring requestStorageAccess call.

@cfredric
Copy link
Contributor

Hi - I've published a proposal for HTTP request/response headers that I believe would be helpful here: https://github.com/cfredric/storage-access-headers

Please take a look and let me know if that proposal would be helpful for this, and/or how it could be improved!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants