Proposal: privacy.websites.thirdPartyCookiesAccessible #822

aselya · 2025-05-05T16:28:11Z

Proposal defines a new API that will allow extensions to determine a frame's access to third-party cookies.

Rob--W · 2025-05-07T16:22:40Z

This PR looks strange with the many unrelated commits. Could you clean it up as follows:

git fetch upstream main:main
git checkout -B thirdPartyCookiesAccessible_API upstream/main
git cherry-pick 806bd5e68021e4a903cc600bff4b99ce81c4dcb0
git push origin thirdPartyCookiesAccessible_API -f

In this example of the code snippet :

upstream would be the remote for this repository - https://github.com/w3c/webextensions
origin would be your fork - https://github.com/aselya/webextensions
(to double-check if this is correct, run git remote -v locally to print your repositories)
806bd5e is the commit where you added the file for which you're requesting review. In this case there was only one, but you can have more in general
git checkout -B branchname upstream/main replaces branchname with a new branch branched off the current upstream/main (and since I added git fetch upstream main it is the latest up-to-date branch).
git push origin branchname -f the -f is --force flag to forcibly overwrite the branch with the new branch.

Add initial proposal

aselya · 2025-05-07T17:21:01Z

This PR looks strange with the many unrelated commits. Could you clean it up as follows:
git fetch upstream main:main
git checkout -B thirdPartyCookiesAccessible_API upstream/main
git cherry-pick 806bd5e68021e4a903cc600bff4b99ce81c4dcb0
git push origin thirdPartyCookiesAccessible_API -f
In this example of the code snippet :

upstream would be the remote for this repository - https://github.com/w3c/webextensions

origin would be your fork - https://github.com/aselya/webextensions

(to double-check if this is correct, run git remote -v locally to print your repositories)

806bd5e is the commit where you added the file for which you're requesting review. In this case there was only one, but you can have more in general

git checkout -B branchname upstream/main replaces branchname with a new branch branched off the current upstream/main (and since I added git fetch upstream main it is the latest up-to-date branch).

git push origin branchname -f the -f is --force flag to forcibly overwrite the branch with the new branch.

Thanks for catching this. Fix has been made.

aselya · 2025-05-08T19:30:53Z

Why should this be an extension API and not just part of the web platform?

To determine if an individual frame has access to third-party cookies, an extension can attempt to set and read a cookie or use the API document.hasStorageAccess(). This information is sufficient for most cases on the web but there are some subtleties to unpartitioned (third-party) cookie access that extensions could benefit from having knowledge of but should not be exposed on the open web because it reveals information about the users choices and settings that could potentially be abused by a malicious site.

Storage Access effectively has three distinct states, granted, denied and inactive. document.hasStorageAccess() does not differentiate between an explicit denial or the state being inactive (where the user or user agent hasn’t made a choice) and returns false for both of them. This distinction is hidden to hide the user’s choice from malicious sites, since extensions are allowed to have more information exposed to them, this information can be revealed. Extensions would benefit from this more granular information because it would allow them know if they should use content script to call document.requestStorageAccess() to prompt the user for permission or if the user (or an agent working on their behalf) has already explicitly denied access to unpartitioned cookies for the frame and they should display a message to ask the user to change the settings.

The existing means of determining third-party cookie access requires a frame to already exist. This API would provide a means of allowing an extension to determine access to cookies for frames that don’t already exist. This could be useful for an extension without <all_url> host permissions because it would be able to check after initialization if the sites it needs to have unpartitioned cookie access would be eligible for it. This capability should be confined to extensions because storage access grants can only be given to frames that exist but user settings such as Firefox’s “Exceptions for Enhanced Tracking Protection” and Chrome’s Enterprise policies do not rely on a frame existing and shouldn’t be exposed on the open web.

Create thirdPartyCookiesAccessible.md

b5e3f8f

Add initial proposal

aselya force-pushed the thirdPartyCookiesAccessible_API branch from 602699b to b5e3f8f Compare May 7, 2025 17:19

aselya closed this May 7, 2025

aselya reopened this May 7, 2025

xeenon mentioned this pull request Apr 24, 2025

Agenda discussion for public meeting on 2025-05-08 #819

Closed

Rob--W mentioned this pull request May 8, 2025

Publish minutes of 2025-05-08 meeting #823

Merged

aselya requested review from Rob--W, oliverdunk and xeenon May 9, 2025 14:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Proposal: privacy.websites.thirdPartyCookiesAccessible #822

Proposal: privacy.websites.thirdPartyCookiesAccessible #822

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Proposal: privacy.websites.thirdPartyCookiesAccessible #822

Are you sure you want to change the base?

Proposal: privacy.websites.thirdPartyCookiesAccessible #822

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!