Interacting with embedded applications as top-level prior to granting permission #9
Comments
|
Hi @andywang219, I'll jump right into your questions:
A user interaction (aka activation or user gesture) is something defined by the HTML standard. It lists the different kinds of interactions here: keypresses, mouse clicks, and touch events.
There's no workaround for this in Chrome, if your application requires read/write access to unpartitioned state (and therefore really requires the Storage Access API). If an embedded cross-site application needs to access unpartitioned state (e.g. a user identifier), then the user ought to know that the application exists, and be aware that they're interacting with it. (Just for context: the top-level user interaction requirement is to protect Chrome users from prompts that come from sites which the users have never heard of and have no intention of using. This is an attempt to avoid the kind of spam we've seen through push notifications prompts, for example.)
"Users" for these purposes are individual browser profiles in Chrome. If one Chrome profile/user interacts with company A, that is not sufficient to conclude that every Chrome profile/user is ok with seeing prompts from company A while it's embedded under another site (e.g. company B's site). So yes, every other Chrome user who visits company B's site and needs to use the company A embed will have to interact with company A's site in a top-level context beforehand. I want to point out an important detail here though - my response to your second question said "if your application requires read/write access to unpartitioned state". You never mentioned needing to share your application's state regardless of which top-level site it's embedded under (e.g. Similarly, if you require unpartitioned state but don't need to be able to both read and write to it, you could check out some of the other Privacy Sandbox proposals (particularly Fenced Frames and Shared Storage) and see if they address your needs. |
|
How are third-party authentication cookies using SAML/SSO supposed to work then? We support an application that's embedded in customer websites as an iframe. The customer will authenticate with their SAML provider in the top-level context, which will perform a SAML assertion to our product to retrieve a third-party authentication cookie. With the coming change, we need to use the StorageAccessAPI to access that cookie from our iframe. However, our customers interact with our product solely in an embedded context. Therefore, Chrome will deny the requestStorageAccess call saying they've never interacted with our application as a top-level context. This requirement completely breaks our authentication flow, and I imagine many others who aren't aware of this coming change.
The storageAccessAPI already requires a user gesture; so the customer already knows the application exists. |
To my knowledge, we (Chrome) haven't yet seen an authenticated embed use case where the user is expected to never interact with the embedded site in a top-level context. In all the use cases we've seen, the user is brought through a flow that involves a login in a popup or some other top-level context (e.g. a redirect), which sets the unpartitioned cookie that gets accessed later on by the iframe. This flow is common enough that Firefox automatically grants storage access to any site that the user has interacted with in a top-level context; Safari also grants access in these situations, AFAIK. Chrome is prototyping this heuristic as well. (On the subject of other browsers, what have you observed in browsers like Firefox and Safari which already block third-party cookies by default?) We've also seen some use cases where the embedded iframe is invisible but still relies on the user's (unpartitioned) identity. Chrome and other browsers are still exploring the solution space for those scenarios; the latest proposal in this space is the Top-Level Storage Access API Extension, but this still assumes that the user will visit the embedded site as a top-level context to log in at some point. Chrome also supports the FedCM API, which is an option for federated sign-in. This API does support usage from within an iframe, so if your application can use FedCM, it could be available to you in these iframes. With all of this in mind, is it an option for you to open a top-level context (e.g. a popup) in which your users can log in, or at least click a "Proceed with <XYZ app>" button? If it is, then it would solve your problem, IIUC.
I was responding to @andywang219's "In the scenario where an application is completely hidden from the end user, this might pose some issues because now the end user needs to interact with a site that they never knew they were using" question (emphasis mine). This example shows why a user gesture in the embedded context cannot prove that the user knows that the embedded application exists. This is why that user gesture is necessary but not sufficient for getting the |
|
Thanks for looking into the issue. For a context its the same setup which we were discussing in the previous issues #6 . ( the one with videos and screenshots) the only confusion here is the restrictions of site never been interacted as a top level context which is different from asking storage access with explicit grant access button interaction from the same site in an embedded context. In this case even though user s doing explicit interaction which isn't considered valid and rejected by RSA. Yes our users always interacts( click) with embedded site which grants access to cookies set during SSO navigation. Take an example of brand new chrome browser download, and first time user navigates to their company site which embeds third party site in question , which asks for storage access with explicit click interaction and then allow sso navigation to continue in a separate same site iframe or popup which sets un partitioned cookies( all 302s mostly) . In this flow explicit click action invokes rsa but fails with message that you never interacted with embedded site in top level, could u guide how to handle this use case? This goes away as soon as the user opens up embedded site once in a new tab, which i want to avoid. |
|
Thanks for the context.
To be clear, the Storage Access API in Chrome requires two distinct user interactions:
Interaction #1 is to reassure the browser that the user might actually have some relationship with the site in question. If the user has never interacted with the site in its own top-level context, the user is less likely to be familiar with the site in question. We (Chrome) want to be sure that when we show a permission prompt, the user has definitely heard of the site that's requesting permission. This is part of ensuring that the user understands as much as possible about the request. Of course, a user interaction in a top-level context doesn't guarantee that the user is ok with that site asking for Interaction #2 is a standard requirement for any permission prompt, and any powerful API in the web platform.
Can you elaborate more on your SSO arrangement? How/when does the user sign into your application? Is it possible to do the sign-in before your application requests
I would recommend exactly what you said: opening the embedded site once in a new tab, before asking for Coming at this from a different angle - in browsers that don't require the top-level interaction (Safari and Firefox, to my knowledge), what do you observe? Do your users understand the permission prompts and why they might want to grant or deny permission? How often do your users accept the prompt and continue with the SSO flow? How often do they deny permission or dismiss the prompt? |
|
Hi @andywang219, I'm not sure what you mean by "rolling" vs "strict". But to hopefully answer your question anyway - at the time when So, if the user interacts with the site on day 0, then interacts with the site on day 29, then calls If instead, the user interacts with the site on day 0, then calls |
|
Thank you for the clarification! |
|
One follow up question, will Chrome expose an API to allow developers retrieve the timestamp that you mentioned? |
|
There's currently no proposal for that, however, you should be able to store this information in storage or cookies relatively easily, if it matters to you (I'm not really sure there's a use case for this). |
|
+1 to Johann's comment. I'd also add that if Chrome were to expose the most recent top-level interaction timestamp, and the embedded context were able to read it (before having called |
|
Got it, thank you both |
|
thank you @cfredric Apologies for the delay in response.
To me this doesn't sound right and not practical and makes it completely painful for our third party SASS applications. Take an example of the typical SASS app usage, the whole point of embedded app is to take away the need for users to navigate to a different domain/tab and rather have it within the users workspace and work along side with other apps. (Example Call handling app along side with the CRM providers like Salesforce , zendesk or even customer own solution) so in this case asking users to open embedded site in a top level site is breaking the whole usability aspect of it.
that's at least perfect for our SASS applications and Firefox and Safari does great in this area.
Yes they do understand the prompt as we make it clear to them with a banner which asks to grant access and provides links to SASS app FAQs.
At least from our data, it's Always. How do we discuss further about making the top level interactions optional or follow the same model as safari or firefox to be consistent? |
|
Hi @jagadeeshaby,
To be clear, the requirement of an interaction in a top-level context is only necessary if your embedded application needs to use unpartitioned state. Unpartitioned state is particularly sensitive because it allows an embedded site/app to track a user as they browse the web. If your SaaS (I assume this is what you mean instead of SASS?) application does not need unpartitioned state, then it can freely use partitioned cookies and partitioned storage without needing to prompt the user and without the user visiting it as a top-level site. With that in mind, I'd like to understand your application's requirements better, to understand the following:
If I understand correctly, the only reason for a SaaS app (which is always embedded) to require access to unpartitioned state would be if the app is embedded under multiple top-level sites and needs to recognize a single user as they visit multiple of those sites. I understand your app is embedded under many top-level sites, but does it actually need to recognize a single user across multiple sites? If so, can you elaborate on why? (My impression is that this isn't necessarily required for an embedded SaaS application, but I'm happy to be educated otherwise.) Alternatively - can you rely on partitioned state for the majority of your users, and only impose the top-level user interaction and Storage Access API permission prompt for the presumably-small population of users who use your application across multiple sites? I'm also curious about the answer to a previous question of mine:
Can you help me understand why opening a single tab (once) is an unrealistic burden for your app? I understand that the UX is no longer "seamless"/transparent, but from the browser's point of view, that can be viewed as an improvement since the user now has more control and awareness of how their data is used and flows throughout the web. When designing the Web Platform, Chrome strives to put users' needs (e.g. for control and information) above web developers' needs (e.g. for seamless UX). See https://www.w3.org/TR/design-principles/#priority-of-constituencies.
Interesting, this seems like it disagrees with a previous statement in this thread: "now the end user needs to interact with a site that they never knew they were using" (emphasis mine). Did your app recently change to show the banner to users? Or do users get a different experience depending on which browser they are using?
I think this is the appropriate forum to discuss Chrome's behavior in this regard. CC @helenyc |
|
Thank you for the response, and yes my bad and thanks again for Correcting SASS as SaaS.
This is for the SSO use case, where Unpartitioned cookies are set ( either via SSO Popup, Redirections - Form Post) and made available on the SaaS app domain which are required for embedded SaaS app to function.
SaaS app is behind the specific Authentication and our users well aware of the SaaS app provider. As a first step , SaaS app displays a Banner which talks about why they need to provide access and links to public FAQs doc for more details.
Partially true, but it's more of Customer A using SSO enabled link to access the embedded SaaS app, consider User clicking on a SAML enabled link which does some redirections and after the successful SAML token assertion, it reaches the SaaS app domain which sets the cookie and ultimately redirects to Customer domain. Below is the simplified version of the interactions. Step1: User clicks on login button (points to SAML SSO) on their company website, which looks like - https://saml-sso?relay-state=https://SaaS.com?destination='https://customer.com' Step 2: SAML SSO URL redirects to relay state after the SAML token assertion (success(), which looks like https://SaaS.com -> recognizes the user and sets the cookie and redirects to destination URL - https://customer.com which gets validated against the customer registered URLs. Step 3: https://Customer.com -> uses the Javascript library and loads the SaaS app in an iframe and at this point the SaaS app should have access to the cookie set in step 2, but it fails due to all the 3p cookie deprecations. Step 4: to tackle the failure in Step 3 and to keep least integration changes on the customer side, we introduced RSA banner to get access to unpartitioned cookies which explains why users should click on continue and grant access , Step 5: user clicks continue button within the RSA banner and supposed to continue accessing the SaaS app but it fails with top level interaction error. This is where we are stuck! Will respond to other questions in the next thread ( becoming too long) |
Not necessary and this isn't our use case to consider.
I don't quite understand this suggestion. As SAML login flow executes directly on the top level site (not in an embedded state), having partitioned cookies doesn't mean much to the embedded App. Yes if SAML login flow could execute within the embedded context of the same top level site , then it make sense, this again has lot of challenges such as IDP needs to enable embedded login, SAML login flow include few apps which doesn't work in an embedded flow and this is potentially a multi year project to support and migrate all 100 of thousands of integrations)
I'm seeing this more from a user perspective, everything we do here is to keep our users effective from day 1 on their workload ( every seconds count and billed), adding additional burden of RSA banner, native RSA popup and now additional browser popup is adding more churn to the whole workload. What we have seen so far is our customers hate browser popups and lot of our customers have popups disabled by default.
We need find a balance here to optimize the experience and categorize the type of apps and collect other type of signals such as SSO enabled, some sort of a token etc to avoid putting burden on the users to satisfy some good to have rules. were there any obvious reasons why firefox/safari doesn't have this restriction (i believe they work backwards from customers and learnt their ways)?
Yup as explained before, this is a hard call we took to degrade the experience by introducing the another layer with a RSA banner ( just for gaining 3p cookie access), We created this banner as a whole page hosted on the same SaaS app domain and we made this configurable in terms of theme and message so that our customers can show the messages and theme it depending on their users behavior. Users will always have a same experience across the browser depending on whether the RSA API resolves in permission grant or Deny. in case of Granted , we directly take users to page where they continue their workload else we show the banner where they click continue ( explicit interaction) which then may/may not show the native RSA popup and takes users to desired screen. |
|
Hi, thanks for the additional details!
This means that the user must visit the SSO site (== the SaaS site) in a top-level context (either as a popup, or via a redirect), right? (I think the example URL you give in step 2 below confirms that the user does visit saas.com in a top-level context.) So it sounds like the user has visited your site (which set an unpartitioned cookie), but they haven't necessarily interacted with your site in a top-level context. Am I understanding correctly? If so, then this is an area Chrome is still thinking about, looking for possible ways to ease/reshape this requirement while still protecting our users from trackers and abuse. The challenge is that this pattern looks identical to bounce tracking, which Chrome is working to mitigate. If you have suggestions for how Chrome might be able to distinguish your usage from typical bounce tracking on the web, I'd love to hear them! Alternatively, if you can add a step where your user interacts with the SSO domain during the redirect (e.g.), that would also resolve this from a technical standpoint. |
Yes that's partially true, it may also happen that customers doing all of these in an hidden iframe as well |
i think the challenge here is , now user has to perform 3 additional clicks and a popup hassle. one Click within the popup , and another within the embedded banner and one more with the native browser popup. honestly we don't want to put this as a recommendation as there are 3 potential areas where our users might get stuck and could result in completely disrupting the work load and hence at the moment our go to option is to scrap all the RSA work and tell customer to use Enterprise policies and enable deprecation trial ( third party) as a alternate options to buy some time and focus on building long term auth solution which involves multi year dev effort and migration efforts for customers. Whole effort for us to invest on RSA is to provide some consistent , safe options for few quarters till we build a long term path for them, but with all of this complication it doesn't sound worth investing more on this route |
To me, it sounds like we should evaluate and learn from what Firefox is doing here, they seem to have solved this challenge and follow the same model if possible, our other option for customers now is to say start using Firefox to gain more efficiency as it involves less clicks. |
|
Hi, I am hijacking this issue as it seems to be very similar to my own use case (Let me know if it's not appropriate and I will open another issue). ContextOur application can be embedded on various partner websites with 2 login processes
We have 3 main scenarios:
Scenario 1The partner could have a seamless integration:
With 3P cookie phase out, we will have to use Partitioned cookies to reproduce the same user experience. The main downside is that the user won't be automatically logged in if he encounters our application embedded on a different partner website or if he opens our application at top level. Scenario 2At the moment, if the user is logged in on our side (unpartitioned cookie), the application can directly be loaded in the background. And if he isn't, he could go through a login popup (without any top level user interaction since the user will only interact with his SSO in the popup). With 3P cookie phase out, from my understanding, this is going to be more troublesome, and authentication will require the following steps:
DiscussionThe solution we currently considerAt the moment CHIPS specification is not very clear to me, but from my testing (Chrome Version 120.0.6099.18 (Official Build) beta (x86_64)):
To tackle the 2 scenarios described above, we would need both a partitioned cookie solution as well as an unpartitioned cookie one. What would enhance user/dev experienceEven then, the user experience is not ideal, and the use of 2 cookies feels messy. Here are a few suggestions that could enhance the overall experience without costing too much in terms of privacy (in my opinion at least):
Questions
|
|
Hi @tzhao-symphony, Agreed, this does sound like a similar problem. Again, I'd love to have your suggestions on how the browser can distinguish the "seamless" flow you describe from the silent cross-site tracking that is possible via bounce tracking and third-party cookies today, in order to protect users from tracking while enabling your applications to keep working in the more-private web of the future. And I'd love to hear why engaging with the user in a top-level context (once, not every visit!) is not feasible as part of the SSO flow, as well. With regard to your questions specifically:
I don't work on CHIPS, so I don't know the answer to that. I suggest looking through https://github.com/privacycg/CHIPS/issues and asking this question there, if it isn't addressed yet.
I recommend asking this on the CHIPS repository as well. My gut instinct would be to try to deduplicate data that's shared between partitioned/unpartitioned cookies (it's impossible for things to get out-of-sync if there's only one thing to update), but I haven't thought through things like partitioned anti-CSRF tokens.
In Chrome, an iframe that has obtained storage access can still access the partitioned cookies available in that context, in addition to the iframe's unpartitioned cookies. Requesting storage access via
This could be possible. But Chrome's current implementation already allows the prompt to be a one-off, if the user uses that embedded application on that site at least once a month. So, since the "always" option would only be useful for people who rarely use the embedded application, I'm not convinced of the benefit here.
We're still thinking about this and exploring the options here. We'd love to know what you suggest as a requirement instead of the top-level user interaction requirement, but I don't see a way to simply remove it like Firefox currently does. (Remember that Chrome deletes cookies on top-level sites that do this kind of interaction-less redirect, to protect our users from bounce tracking as I mentioned above. So even if Chrome waived the top-level interaction requirement, the cookies would get deleted anyway, unless Chrome also relaxed its bounce tracking protections -- which I believe is unlikely, and which I don't think would be good for our users. So we need a different solution here, which I'd love your input on.)
Clearing browsing history (via
Uncertain right now. Browser vendors are still working on some ideas in this space (e.g. https://github.com/bvandersloot-mozilla/top-level-storage-access), so Chrome is participating in those discussions right now. |
|
Hi @cfredric The reason why we need to duplicate the cookie is that:
Now let's say a user does the following and 3p cookie are not phased out yet:
Duplicating the cookies will ensure that both Partitioned cookies and unpartitioned cookies are always up to date whether 3p cookies are phased out or not (I am not sure the UI can detect that). If 1p Partitioned cookies were accessible thanks to storage access, that would make the flow simpler. In a first iteration we could always set Partitioned cookies and expire Unpartitioned cookies (so that left overs from the previous backend version would be cleaned up). Are there scenarios where we don't want 1P CHIPS to be shared with a 3P embed that was granted storage access?
Ok I think I got mixed up between the initial
The user already needs a user interaction within the embed to get the prompt, which shows that he wanted to interact with the embed. Even in case of a missclick, he would then need to willingly accept the prompt. So the combination of the user interacting with the embed + accepting the prompt tends to show that the user really wanted to use and grant storage to the embedded site.
|
|
Hi, apologies for the slow response.
IIUC when you say "1p Partitioned cookies" you mean partitioned cookies whose partition key is the same as the site that set the cookie? I.e., partitioned cookies that were set by the top-level context itself? If so, I don't see the difference between using the site's unpartitioned cookies and using the site's 1P partitioned cookies. Both kinds of cookies can be set in a first-party context, and the Storage Access API already makes unpartitioned cookies fully available in cross-site iframe contexts. (1P partitioned cookies are currently intentionally unavailable in cross-site iframes.) If your application gets confused by obsolete unpartitioned cookies, you can just update/delete the unpartitioned cookies when you set the partitioned cookies. Am I missing something?
I think you're assuming that the top-level page and embedded frame are benevolent. Malicious actors do things like clickjacking attacks, which means that statements like "the user clicked on this frame intentionally" are not universally true. Chrome must assume that there are malicious sites that will try to misuse whatever features we provide.
Part of Chrome's goal is abuse prevention and avoiding prompt fatigue. It should not be easy to trigger a prompt for the user, since that's a disruptive experience and forces the user to make a decision. So we want to restrict that capability so that prompts can only be created by sites which the user is familiar with (and can therefore make an informed decision about), e.g. sites that the user has visited recently.
Thanks for these suggestions! Your first bullet is related to discussion happening in privacycg/storage-access#60. I agree with my colleague johannhof, there's potential to improve the UX here. Your second bullet is an interesting thought, but I'm not sure it's a good idea. It would make the behavior of Your third bullet is related to privacycg/nav-tracking-mitigations#65; feel free to chime in there. Your fourth bullet is also a potential feature request for the bounce tracking effort; I think it'd be better to discuss there with the folks who own that repository, rather than here. |
Hi @cfredric,
I am trying to get a better understanding for the error message:
Request denied because the embedded site has never been interacted as a top-level context.My questions are:
As an example for question 2, company A has a chat widget that also comes with APIs where developers can use to interact with said widget. Company A provides the option to hide the default chat widget from the HTML and allow company B to build their own UI and then interact with the chat widget via the APIs. The default chat widget becomes a proxy in this use case. Now with requestStorageAccess, users have to interact with the default widget in order to be granted permission.
The text was updated successfully, but these errors were encountered: