Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make cross-site information accessible #127

Open
fcurti opened this issue Nov 30, 2023 · 7 comments
Open

make cross-site information accessible #127

fcurti opened this issue Nov 30, 2023 · 7 comments

Comments

@fcurti
Copy link

fcurti commented Nov 30, 2023

I need to share informations on several domains.

I have to accomplish, for example, the following use case

A login web page (a.login) write a cookie with some informations.
Some information needs to be retrieved on other properties ( a.myproperties, b.myproperties) where user navigates.

In login web page and other properties I can inject javascript (obviously).

I'm asking which is the best strategy to achieve this using the shared storage API.

@pythagoraskitty
Copy link
Collaborator

When you say:

Some information needs to be retrieved on other properties ( a.myproperties, b.myproperties) where user navigates.

Can you be a little more specific about what kind of information retrieval you will need?

Keep in mind that it's easy to write to shared storage, but there are intentional restrictions on reading from shared storage. Currently, there are two output gates: private aggregation reports and URL selection.

If I get a better sense of what kind of information you are planning to retrieve and/or how you are hoping to use it, I might be able to provide better suggestions of how to accomplish your task.

@fcurti
Copy link
Author

fcurti commented Dec 13, 2023

@pythagoraskitty
for example we need to retrieve the user PPID.

During user login on a.login the login service creates a cookie with ppid.
We need to read this ppid on other properties, for example a.myproperties1, b.myproperties2 and so on.

In this time we are using a 3rd party request to save the ppid as a cookie on a single remote domain (shared.domain)
As well we are using a 3rd party request on shared.domain to read the ppid and save the ppid in a cookie on domains where user navigates.

@b-hatley
Copy link

b-hatley commented May 3, 2024

Hi @pythagoraskitty, our company (Flashtalking) is also seeing the same issue, causing a major bump in our road to integrating with PS APIs. Below is an overview of our challenge:

As a creative ad server, we need to serve creatives from a CDN (cdn.flashtalking.com). At the same time, we also need the ability to read data in Shared Storage we previously set on the browser to personalize the creative during the ad request.

Currently, we are unable to complete this because our ad server engine, which is responsible for writing to Shared Storage and decisioning on the data within, runs on a secondary sub-domain (servedby.flashtalking.com).

Example flow:

  • User 123 visit Advertiser A’s site and looks at shoes.
  • Flashtalking sets "shoes" segment in Shared Storage with servedby.flashtalking.com
  • Flashtalking receives an ad request from Publisher XYZ for Advertiser A from User 123’s browser
  • Our ad request is fired from cdn.flashtalking.com, which is where our tag+worklet Javascript resides.
  • We are unable to read the segments in User 123’s Shared Storage, as they were written by servedby.flashtalking.com

We understand this limitation follows the web standard definition of same origin, but it is in direct contrast to how 3rd party cookies behave today, and thus breaks a critical path for tech vendors to gain access to Shared Storage data.

@jkarlin
Copy link
Collaborator

jkarlin commented May 15, 2024

Thanks for the description @b-hatley . Is there any chance you can host your worklet script on servedby.flashtalking.com but leave the rest of the creative assets on cdn.flashtalking,com? That should solve your problem.

Meanwhile, we're discussing what it might look like for one shared storage origin to declare that it's okay for a worklet from a different origin to read its storage. It'd require opt-in from both origins.

@michaelgulak-ft
Copy link

Hi @jkarlin. Given how we will need to interface with the worklet and our established architecture, we are not able to host the worklet script on our ad server (servedby.flashtalking.com).

Would the opt-in be a one-time operation for each domain, similar to the attestations we've completed in the enrollment process?

@jkarlin
Copy link
Collaborator

jkarlin commented May 17, 2024

How the opt-in might work is still TBD. One possibility is making it part of enrollment. Another is to store the data in a .well-known file on servedby.flashtalking.com that only gets fetched infrequently (e.g., when the browser doesn't have the response cached locally).

pythagoraskitty added a commit that referenced this issue Jun 12, 2024
…orklet`

Currently, `addModule` only allows same-origin script. This was for convenience of the initial implementation, however, and is no longer necessary. 

The [worklet standard](https://html.spec.whatwg.org/multipage/worklets.html#dom-worklet-addmodule) does not contain this restriction. In fact, we have received [feedback](#127) from developers stating they would like to be able to host and run their worklet script on a separate origin---say a CDN---from the origin that owns and writes their shared storage data.

So we update the explainer to remove the same-origin restriction for `addModule`. We also note that, when the worklet script is cross-origin to the invoking context, the invoking context's origin is used as the partition origin for accessing shared storage.

Since `createWorklet` already allows cross-origin scripts, but currently uses the worklet script's origin as the data partition origin, updating `addModule` as described above without also making a change to `createWorklet` is liable to cause developer confusion in the long term.

We have therefore decided to align `createWorklet`'s default data partition origin with `addModule`'s. `createWorklet` will use the invoking context's origin by default. This is a breaking change, but current usage of `createWorklet` is low as it was just introduced in M125.

To preserve the ability to create a worklet whose script is cross-origin to the invoking context and then run operations on the worklet script origin's shared storage data, we introduce a new `dataOrigin` option for `createWorklet`. Passing `dataOrigin` with "script-origin" as its value will designate the worklet script origin as the partition origin for shared storage. For now, "script-origin" and "context-origin" will be the only allowed values for `dataOrigin`, when used. We’re considering adding support for separate data and script origins for `createWorklet` in the future.

A corresponding specification update will follow.
@jkarlin
Copy link
Collaborator

jkarlin commented Dec 12, 2024

An update on this. We've decided on the .well-known address approach and it's described now in the explainer here.

We're currently targeting M133 but nothing is definite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants