Portal not working after the introduction of the new experimental storage partitioning feature

[GitUser11211]

Hello,

Our portal shares auth tokens between 2 domains using an iframe and that is no longer working due to the new "Experimental third-party storage partitioning". We have tried this workaround by registering for a temporary token here -> https://developer.chrome.com/origintrials/#/view_trial/-8517432795264450559 but this is not working.

Can someone kindly provide some guidance/troubleshooting steps to help me fix this?

Here is some more background information and the general workflow that we are dealing with:

1. In the browser, navigate to signin.abc.com
2. Authenticate the user using a login form.
3. Generate an auth token and set it on signin.abc.com local storage.
4. Click on link to navigate to another domain xyz.com
5. On xyz.com we frame in signin.abc.com and copy the auth token with frame communication. Expected result is that the auth token is now on xyz.com.
6. Prior to chrome introducing this new feature, this would work. But now, it only works if the partitioning is disabled.

We have added the trial token (https://developer.chrome.com/origintrials/#/view_trial/-8517432795264450559) on all HTMLs of signin.abc.com (this is the framed-in portal). However, the auth token is still not being copied over to xyz.com

As stated above, after the user authenticates at signin.abc.com, the auth token is set on signin.abc.com. I have tried multiple trial tokens, some on signin.abc.com and the others on abc.com. I have also tried checking and unchecking the 'subdomain' option (when registering for the token), but that did not work either. Please help.

[miketaylr]

We have added the trial token (https://developer.chrome.com/origintrials/#/view_trial/-8517432795264450559) on all HTMLs of signin.abc.com (this is the framed-in portal). However, the auth token is still not being copied over to xyz.com

Hi @GitUser11211, apologies for the delay in responding.

I assume you've read https://developer.chrome.com/blog/storage-partitioning-deprecation-trial/ - one thing to note is that this is a 3rd party deprecation trial.

In practical terms, this means that at step 5, signin.abc.com will need to inject its 3P token (via JS) into xyz.com before creating its iframe.

Side question: did the previous flow work in Firefox and Safari?

[GitUser11211]

This flow did not seem to work in Firefox and Safari, but having said that, this workflow was only ever supported in chrome. We did not notice this issue with chrome until this trial.

So, not sure what you mean by 'inject' but I tried this in the javascript before creating the iframe:

const link = document.createElement('meta');
link.setAttribute('http-equiv', 'origin-trial');
link.content = "TRIAL_TOKEN_FROM_GOOGLE";
document.getElementsByTagName('head')[0].appendChild(link);

No luck though, still broken. Any other pointers would help. Any working examples will be great.

So for the trial token, I generate 2 separate tokens, one for the domain signin.abc.com (Third party Yes; Match subdomains Yes) and also for domain abc.com (Third party Yes; Match subdomains Yes). I tried the workflow with both tokens separately. Both did not work.

[arichiv]

Is the script that you have injecting (creating via JS and then including in the DOM) from the third party origin you wish to disable partitioning for? If it's a script from the same origin as the top-level site that won't work.

[GitUser11211]

This is a javascript that is hosted on signin.abc.com (if you can kindly review my workflow from my earlier comment). This domain (signin.abc.com) is the one I have registered for a trial token. On xyz.com, we frame in signin.abc.com and copy the auth token (different from the trial token that google gives us) with frame communication.

1. Per your statement, this will not work, is that correct?
2. Will xyz.com have to inject this trial token?
3. Again, any working examples or samples you can point to would be very helpful.

[arichiv]

1. correct
2. it must be injected by the top-frame, ideally by a script from the origin that you want the origin trial token to be checked against, before the iframe is loaded.
3. https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/wpt_internal/webstorage/general-storage-deprecation-trial-third-party-enabled-local.sub.https.html