Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What should I do if an enterprise has more than 5 different domain names that all use the same domain name security service? #179

Open
Yekongs opened this issue Sep 26, 2023 · 1 comment

Comments

@Yekongs
Copy link

Yekongs commented Sep 26, 2023

For example, an enterprise has multiple domain names such as A.com, B.com, C.com, D.com, E.com, F.com,. The number of them exceeds 3, but they all use one within the enterprise, such as Z. .com to provide some security services. According to the rules, more than 3 Associates calling requestStorageAccess and requestStorageAccessFor will be automatically rejected. How to solve this problem?

@cfredric
Copy link
Collaborator

The number of them exceeds 3

I assume you know this based on the issue title, but Chrome's limit on the associated subset size is no longer 3, it is now 5. However, you listed 6 sites (plus a service site), so let me address your concern below:

  1. If your scenario really involves only 6 sites that all rely on the same service site, then this fits within Chrome's limits for RWS: 1 site can be the primary site, and the other 5 can be in the associated subset. All of them can call document.requestStorageAccessFor on behalf of the service site.
    • Alternatively, the service site can call document.requestStorageAccess when embedded in one of those sites, and the request will be automatically granted.
  2. If your scenario actually involves more than 6 sites (so the 5 associated sites + 1 primary site won't be enough), then you will have to choose which 6 of those sites should have the auto-granting behavior. The remaining sites can still be in the set (as service sites). Those service sites will be treated the same as any other site on the web - they can call document.requestStorageAccess and potentially prompt the user to ask for permission to use their unpartitioned cookies.

There's one other possibility, based on what you wrote:

an enterprise has multiple domain names such as A.com, B.com, C.com, D.com, E.com, F.com,. The number of them exceeds 3, but they all use one within the enterprise,

You've mentioned an enterprise. If you are talking about a company and its employees, and that company uses managed Chrome instances, then the company's enterprise admin can deploy the FirstPartySetsOverrides enterprise policy with a custom set or list of sets. The sets in an enterprise policy are not limited; they can use as many associated sites as they want.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants