Skip to content

Make implicit and explicit deny indistinguishable #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Make implicit and explicit deny indistinguishable #120

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e358785
Make implicit and explicit deny indistinguishable
bvandersloot-mozilla Oct 4, 2022
5de73d7
Integrate Anne's spec feedback
bvandersloot-mozilla Oct 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions storage-access.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,14 +244,16 @@ To <dfn type="abstract-op">determine if a site has storage access</dfn> with [=p

To <dfn type="abstract-op">determine the storage access policy</dfn> for [=partitioned storage key=] |key| with {{Document}} |doc| and {{Promise}} |p|, run these steps:

1. [=Run steps after a timeout=] given |doc|'s {{Window}} object, `"requestStorageAccess"`, `120000`, and the following steps:
Copy link
Collaborator

@annevk annevk Oct 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a comment explaining this number. Since it's a number it's not to be wrapped in code.

Similarly, instead of "requestStorageAccess" we want "requestStorageAccess" (quotes outside code).

And we should probably use |doc|'s <a>relevant global object</a> here. (Which we already obtain later, so we should move that step up I suppose.)

Copy link
Collaborator Author

@bvandersloot-mozilla bvandersloot-mozilla Oct 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will clean up the code quotes, rearrange this, and add a comment explaining the magic number.

1. If |p| is pending, [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}.
1. Let |map| be the result of [=obtain the storage access map|obtaining the storage access map=] for |doc|.
1. Let |flag set| be the result of [=obtain a storage access flag set|obtaining the storage access flag set=] with |key| from |map|.
1. Let |implicitly granted| and |implicitly denied| (each a [=boolean=]) be the result of running an [=implementation-defined=] set of steps to determine if |key|'s [=partitioned storage key/embedded site=]'s request for storage access on |key|'s [=partitioned storage key/top-level site=] should be granted or denied without prompting the user.

Note: These [=implementation-defined=] set of steps might result in |flag set|'s [=has storage access flag=] and [=was expressly denied storage access flag=] changing, since the User Agent could have relevant out-of-band information (e.g. a user preference that changed) that this specification is unaware of.
1. Let |global| be |doc|'s [=relevant global object=].
1. If |implicitly granted| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
1. If |implicitly denied| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return |p|.
1. If |implicitly denied| is true, return.
Copy link
Member

@johannhof johannhof Oct 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this ever need to return p at all, given that the invoking function owns p? Maybe we should clean that up everywhere.

Copy link
Collaborator Author

@bvandersloot-mozilla bvandersloot-mozilla Oct 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only place we returned p in this algorithm. I don't believe we need to return it here.

1. Ask the user if they would like to grant |key|'s [=partitioned storage key/embedded site=] access to its [=unpartitioned data=] when it's loaded in a [=third party context=] on |key|'s [=partitioned storage key/top-level site=], and wait for an answer. Let |expressly granted| and |expressly denied| (both [=booleans=]) be the result.

Note: While |expressly granted| and |expressly denied| cannot both be true, they could both be false in User Agents which allow users to dismiss the prompt without choosing to allow or deny the request. (Such a dismissal is interpreted in this algorithm as a denial.)
Expand All @@ -264,7 +266,6 @@ To <dfn type="abstract-op">determine the storage access policy</dfn> for [=parti
1. If |doc|'s {{Window}} object has [=transient activation=], [=consume user activation=] with it.
1. Set |flag set|'s [=was expressly denied storage access flag=].
1. [=Save the storage access flag set=] for |key| in |map|.
1. [=Queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}.

ISSUE: [since this is UA-defined, does it make sense to follow-up separately with a user prompt?](https://github.com/privacycg/storage-access/pull/24#discussion_r408784492)

Expand Down