Some time ago, Safari started to block third-party iframes from storing its data in cookies or local storage. It affects all Atlassian Connect apps.
They proposed to use Storage Access API (as a part of Intelligent Tracking Prevention technology) to work around it. Recently other major browser vendors (such as Firefox and Google) started to adopt Storage Access API. Could you please support it in Atlassian Connect?
The Connect front end API includes a Cookie module which is designed to allow apps to save and retrieve cookies.
Thank you for the quick response! Unfortunately, AP.Cookie API is very limited and doesn’t allow to store any significant amount of data (such as OAuth tokens for some providers). The problem was described here - Cloud apps can't access cookies in latest Safari versions.
Ideally, we would like to have something like AP.LocalStorage instead.
Please look at their requirements. You just need to add one more iframe sandbox attribute (‘allow-storage-access-by-user-activation’) to support this API.
@becker It’s still in experimental which could be a problem. It also needs review by security team which I’ve requested. Will post an update when we hear back
@dboyd yeah, I see. Thank you for considering it! By the way it is already supported by Trello - Add allow-downloads to iframe sandbox attributes.
I also checked the status of this attribute at the Chrome Platform Status website - https://www.chromestatus.com/feature/5612590694662144. It Safari & Firefox already supports it, and it is currently under active development in Edge & Chrome.
@becker Security team have given the OK. So, it’s on its way to production, should be available in a week or so.
As an experimental browser feature though, it’s “Use at your own risk”, so we’d recommend having a fallback in place
@dboyd Thank you very much for the quick reaction! We will test the new attribute and will let you know how it works for us.
Are there any updates on this? As far as I can tell,
allow-storage-access-by-user-activation is not in the sandbox scope of the iframes yet.
It was there for some time but now I don’t see it as well
@dboyd When should we expect the
allow-storage-access-by-user-activation token to be included in the iframe’s sandbox attribute? Or were those plans cancelled?
This is probably not a problem anymore since now AP.cookie works over browser local storage. Please see the related topic - Limitiations of AP.cookie.