Web storage partitioning should allow subdomains to share data

Question

Created Feb ’23

Replies 3

Boosts 3

Views 1.4k

Participants 3

Currently WebKit partitions 3rd party web storage (window.localStorage/window.sessionStorage) strictly by top-level page's domain.

So if e.g. http://example.com and http://help.example.com both iframe page http://3rdparty.com/widget.html, and widget.html saves some data in e.g. sessionStorage, then this data won't be available when the end-user browsers from the root domain to the subdomain.

This behavior is inconsistent with other browsers, see e.g. https://github.com/privacycg/storage-partitioning/ where partitioning is by top-level origin (in this case example.com). It's also I think contrary to developer and user expectations to treat example.com and help.example.com as if they were completely separate entities for partitioning. Consider, for instance, a 3rd-party chat product wanting to support a continuing session as the end-user browses from one subdomain to another, or from parent domain to a subdomain.

Boost

Answer 1

ranjithmanikantesai OP

Aug ’24

This is exactly the situation we are running into. Any update on this from Apple?

We have an iframe that is in our domain (say https://www.mydomain.com/widget.html) that will be available in http://example.com and http://help.example.com. This iframe saves some data in https://www.mydomain.com and want to access it when user is in either of the root domain and subdomain. But, Safari is preventing this as it is partitioning separately for each instance of top level domain and subdomian, which is definitely inconsistent with other browsers.

The only work around I'm seeing is to uncheck the Prevent cross-site tracking option under Privacy settings in Safari. But we cannot ask each user to do this, that doesn't work.

0

Answer 2

ranjithmanikantesai OP

Sep ’24

@Benjamin_D where you able to get answers from Apple or anyone on this?

Looking more into Apple's own WebKit definition of "website" and "Cross-site" terminology here (https://webkit.org/tracking-prevention/#terminology), there seems to be contradict with Safari's behavior here.

Website or site. A website is a registrable domain including all of its subdomains. Others define site to also include the scheme, making http://news.example and https://news.example be two different sites. For the purposes of this document, we consider http and https to be be same site, since cookies can (still) span schemes.

Cross-site. The user can be navigated across different websites or a website can load subresources form a different website. These are referred to as cross-site navigations and cross-site loads. When it comes to tracking, cross-site means tracking across different websites.

Webkit's definition of Cross-site tracking says When it comes to tracking, cross-site means tracking across different websites. and definition of website include subdomains too, so it is not really cross site tracking and so the partitioned data should be shared across websites (domains and subdomains)?

I want to highlight this as I don't see any activity or movement in this thread, would love to get answers on this topic.

0

Answer 3

KGcodes OP

Jan ’25

I see the same thing in our embedded chat use case at my company.

All other browsers are partitioning by top level domain and not by sub-domain.

It causes confusion and unexpected behavior when chat users lose their conversation when simple navigating to another sub-domain of the same business (ex. sales.verizon.com and support.verizon.com).

We cannot maintain the users chat identity/session without the storage persisting.

I hope there is a response from Apple on this inconsistent behavior in Safari soon.

0