-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Top level site partitioned cookies cleared by Javascript API #7
Comments
This sounds reasonable to me if we do not end up requiring that
IIUC if we do allow |
Yes it makes sense that embedded iframes can write to their own top-level partitioned cookies (unless HttpOnly of course), but I was only suggesting a top-level contexts being able to clear all storage, in its own origin as well as partitioned by any embedded origin, which the proposal already allows via the Clear-Site-Data response header. |
Actually, this proposal has changed and we are no longer giving top-level sites the ability to do this. Doing so would introduce an attack vector that top-level sites could use to interfere with code running in embedded frames.
We do not think top-level sites should be able to do this, since this would be a violation of the same-origin policy.
An interesting idea, but is there a reason that top-level sites would need this type of mechanism to pass along first-party state to embeds when they already have JavaScript and could write state to the DOM or through server-side collusion? |
Generating a Clear-Site-Data header may be difficult in many scenarios. There should be a way to delete partitioned cookies in script also,
At the moment sites can remove top-level cookies by writing to document.cookie, can clear localStorage etc., none of this is available for partitioned storage,
There was a Chrome experimental API for this, it should be made a standard.
The text was updated successfully, but these errors were encountered: