Replies: 6 comments 2 replies
-
|
Hi Tom — thanks so much for all the detail here. We'll take a proper look and respond. (A bit delayed, catching up after Google I/O!) |
Beta Was this translation helpful? Give feedback.
-
|
As another member of the cultural heritage IT community I support a solution that is robust and can be maintained by the very limited resources of the IIIF spec editors. Ideally, if Chrome supported the Storage API, it would save the editors from developing two separate solutions, one for Chrome and one for other browsers. I understand this use case serves a tiny niche in the Internet, and have no insight into the efforts required to implement a common solution in Chrome, but it would be good to know where the Chrome developers' opinion is at in this regard. Thanks. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @samdutton We've been checking in on the latest developments on First Party Sets and CHIPS to see if they help our use cases. First-Party SetsWe don’t wish to correlate user activity across sites, and we don’t need (or want) user identity to share beyond a single context. https://github.com/privacycg/first-party-sets/ says:
…that is: If my browser address bar is Site A and the page has image A and image B, cookies for site B will still be sent because A and B are in a first party set. BUT cookies for A would not be sent with that request for image B UNLESS site A’s cookies are explicitly marked So can our IIIF use case still use FPS? We could conceivably establish a formal trust relationship between publishers and clients if it’s the only way. But IIIF Publishers are not a typical first party set as defined, in that they:
Scenario
If the viewing app was running on bl.uk but the content was on nga.gov, nga.gov cookies would still be sent with nga.gov requests. This means that client applications that are not publishers (e.g., projectmirador.org, universalviewer.io, fromthepage.com, and many many more "unknowns" - my-example-annotation-tool.org) would also need to be members of the set, because they are the top-level context - the address in the browser address bar. You can’t run your own viewer/tool without registering as a set member, which rules out embeddable IIIF content. It seems we need a “trusted third party set” rather than a first party set. Members of that third party set permit a browser to send their issued cookies when they are in a third party context. Somehow related to Goals For The Origin Info Bubble - The Chromium Projects. Ideally this set is established from content, ad-hoc, with the user granting permission for third-party cookie behaviour for the origins required right now by the page/viewer (likely to be only 1 or 2 distinct origins). That could still have the protection of a publisher list; you can’t trigger the browser to ask the user for permission for third-party-cookie-sending if that third party is not on a list. This would allow client applications (viewers, annotation tools, web pages with images) to remain untrusted (not on the list). Cookies Having Independent Partitioned State (CHIPS)
This is the inverse of our problem. The top level context we want the cookies available in would be the viewer/annotation tool, which is never where the cookies are created. We don’t need to create the cookie in a third party context. The cookie for site A is always set by a user interacting with the origin in a first party context, typically via site A’s login page. Later, the browser needs to know it can send that cookie. We need a feature where the cookie is only sent in a 3rd party context if it was acquired in a first party context (and not surreptitiously from evil-tracker.com). This sounds more like the Storage Access API; the third-party site A cookie is sent by the browser because the browser knows it was set when site A was in the address bar. And if that was some time ago or the browser is otherwise suspicious of it, there is a mechanism to ask the user whether to grant permission to send it cross-domain. Rather than the diagram on the CHIPS page, we need this: User on green.com SummaryWe could work with something like a FPS, but where membership is quite flexible, and only permits the browser to send third party cookies if they were acquired in a first party context, with a significant interaction in that context (no cheating by flashing open a window, setting a cookie and closing it). |
Beta Was this translation helpful? Give feedback.
-
|
Hi @tomcrane Thanks for the question — and all the detail. We'll take a proper look and get back to you. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for sharing your use-case with us! We are certainly mindful that a wide variety of applications rely on third-party cookies, and intend to provide guidance for use-cases as they come to our attention. Chrome currently does not plan to ship Storage Access API as a long-term general-purpose API that allows access to third-party cookies; but we hope to recommend purpose-built APIs depending on the use-case, so that they can provide the right user experience, and privacy guarantees for the long-term. First Party Sets (FPS): We don’t think FPS would be the right solution here; since the IIIF publishers that you listed as examples (bl.uk, nga.gov, bnf.fr, etc) clearly do not share a common owner and controller, as specified in the UA Policy for FPS. However, we wanted to clarify a few things:
In this scenario, is image A hosted on site A, and image B on site B? In that case, A’s cookies would not be sent on the request for image B (even without any third-party cookie restrictions) as per the Same Origin Policy for cookies. Only cookies associated with site B may be sent on the request. (“may” because cookie inclusion rules related to the SameSite and Domain attributes apply) However, cookies for the embedded third-party site B must be marked SameParty.
Correct, same origin policy still applies. The fact that a member domain has access to credentials on its own domain may allow it to correlate user activity across other member domains that it is embedded on; but we don’t expect that all sites will use it to do so. CHIPS: Partitioned cookies might be a potential direction if you are okay with having the user re-authenticate on publisher.org when they’re on viewer.org. Would that be acceptable to you? This is not currently possible with CHIPS, but we are considering proposing some new functionality that would allow viewer.org to create a partitioned navigation/popup window to publisher.org. This publisher.org document would not have access to the same cookies as if the user had independently navigated to publisher.org in a first-party context; but would have cookies “partitioned” to viewer.org. Trust Tokens? - We have a follow-up question on something you said on the original post:
It might be worth considering whether a solution like Trust Tokens might be useful here. Could you clarify whether:
|
Beta Was this translation helpful? Give feedback.
-
|
Hi @krgovind Many thanks for your reply!
Yes
This might be a possible approach. One of the principles of our auth spec is that the login process is clearly external to the viewer, at the publisher's site. E.g., it's not in some JS popup without an address bar. The user goes there in a new tab/window, an obvious (to the user) first party context. Once back on viewer.org, requests for images at publisher.org are accompanied by the cookies acquired through that login, and viewer.org client code can be confident that they won't be 40x responses.
Does this mean that publisher.org, in that popup, can set cookie(s) partitioned to viewer.org, that will then be included on requests to publisher.org images made from viewer.org? Additional API around the showing of that navigation/popup, including a message indicating success, could simplify the flow of our spec, which currently involves a
It would need to be on a per-resource basis. Although we simply talk about image requests to focus on the sending-of-third-party-cookies problem, each image resource has an associated service endpoint that we probe to determine whether the user can see the image. In practice, a user will sometimes have the same access to all of a publisher's images, and it is a boolean decision. But this is not always the case, especially in higher education / e-learning scenarios, and for archival content, where permission maybe very specific and accompanied by varying terms.
This is probably acceptable if use of these tokens simplify the flow elsewhere! This slide deck has an explainer about IIIF Auth: Slide 21 has an "English language" version of the process - even stated like that it's quite complex!
Once again, many thanks for your reply! |
Beta Was this translation helpful? Give feedback.
-
@krgovind It would be great to see documentation about this proposal if it moves forward. One question that came up during today's IIIF call was whether this mechanism could accommodate auth workflows that redirect (e.g., to sso.publisher.org) prior to setting the cookie in the popup window. |
Beta Was this translation helpful? Give feedback.
-
|
Hi all, I'd like to provide an update on Chrome's plans with regard to the Storage Access API. Chrome now plans to implement the Storage Access API; I've written up details about what exactly this means here: https://github.com/cfredric/chrome-storage-access-api. From what I understand, this will not fully address your use case, since the recent security improvements of the Storage Access API now require that an embedded iframe call |
Beta Was this translation helpful? Give feedback.
-
(Adapted from privacycg/storage-access#72)
This use case was discussed on the W3C privacy-cg community call of 22 April: https://github.com/privacycg/meetings/blob/main/2021/telcons/04-22-minutes.md
Our current auth patterns, described at https://iiif.io/api/auth/1.0/, are dependent on third party cookies.
This specification is for museums, libraries and archives (any one else) publishing access-controlled material that conforms to the IIIF specification.
Simplified expression of problem
Starting condition - user is logged in at publisher.org and has a session. On a web page at publisher.org, user can view access controlled images because the session cookie is sent with the image request.
Over at viewer.org, the user is working on an art annotation project using this same image from publisher.org. Even though a direct first party request for https://publisher.org/image.jpg works for the user (because they have a session), when that request is initiated from viewer.org, the image is broken because the browser policy no longer permits third party cookies to be sent.
Cross domain interoperability for access controlled images relies on third party cookies. Recently implementations have had to make sure they were using SameSite headers correctly, but it still worked.
We understand that the web feature that enables this interoperability is the same web feature that is abused by trackers. Consensual opt-in to third party cookies via browser API solves this more elegantly. Our experiments with the Storage API (in Safari, Firefox and Edge) suggest that our current spec can be revised to include use of the Storage API to gain the user's consent for sending third-party cookies on a domain-by-domain basis.
Another part of our spec is about how viewer.org client code learns whether the user has credentials for https://publisher.org/image.jpg without having to know anything about the credentials themselves, which might be a use case for isLoggedIn.
Summary
Recent browser developments have broken our spec, but we think that a revision that incorporates the storage API can get it working again in browsers that continue to support third party cookies.
We're not sure where this leaves us with Chrome.
To be clear, the use cases for our spec are not about tracking (we don't need to track) or even establishing identity - the client doesn't need to know who the user is, just whether they can see a resource. Although it could be used in a commercial context, there are no advertising or other commercial drivers behind this specification, it's all about interoperability of content, that for various reasons (most commonly today, cultural sensitivity) is behind some form of access control.
We need:
If Chrome removes support for third party cookies, can we use Privacy Sandbox to meet the same use case?
Links
Beta Was this translation helpful? Give feedback.
All reactions