Can a page detect when SAA is disabled by sandboxing?

[drmercer-lucid]

Is there a way to detect if a page was loaded with storage access restricted by sandboxing?

Context: we recently started using the Storage Access API for authenticated embeds of content from our site in other sites, including an embed API that can be used by third-parties to embed Lucid documents in their sites.

However, if the host site sandboxes the iframe and doesn't include allow-storage-access-by-user-activation, the experience is quite bad: we show the user our "allow cookies" page, but when they click our button it immediately fails. So we tell them to try logging in to Lucid in a new tab (in case it was blocked due to the top-level-interaction requirement in Chrome/Safari), but when they do that and try again, it's still blocked, and the only workaround is for the user to turn off third-party-cookie-blocking altogether in their browser settings.

From our API's perspective, this situation isn't the user's fault at all, it's the host site's fault. Ideally we'd be able to detect this scenario and (1) inform the owner of the host site that they need to add the sandbox flag to use our API and (2) inform the user that the host page is misconfigured and offer a workaround.

What I've tried:

• navigator.permissions.query({name: 'storage-access'}) -> returns prompt even when sandbox disallows it
• document.featurePolicy.allowsFeature('storage-access') -> returns true even when sandbox disallows it

Any help here would be much appreciated.

[johannhof]

Hmm that is a good question... I'm not sure that's really possible right now. Exposing this somehow doesn't seem harmful to me on first glance, though I wonder if it's a problem that this would also allow sandboxed sites to understand that they are being sandboxed.

Wonder if @annevk, @bvandersloot-mozilla, @cfredric or @arturjanc have thoughts

[cfredric]

Hm, I wonder if the permission state algorithm also ought to return "denied" if the sandboxing flags prevent usage of a given feature (e.g. storage-access)? It looks like it currently takes permissions policies into account, but not the sandboxing flags.

With that said, that doesn't exactly help this use case, since the iframe still can't determine whether the permission was denied due to the user's decision vs due to embedder configuration. I'm not sure if that's WAI or not.

[arturjanc]

From a security perspective it's generally not a problem if we expose the (embedder-controlled) sandbox configuration to the embeddee, because the embeddee is, by design, restricted by the sandbox, so it can infer the config from the side effects of the restrictions.

If we wanted to do something special in SAA to expose this information explicitily, IMO it would be fine.

FWIW my guess is that the real problem here is that there's no API to explicitly expose the sandbox configuration to the document. We've run into this in some other situations, for example for document with the Cross-Origin-Opener-Policy header (which, when combined with the sandbox, results in a network error); so, arguably, the more general solution would be to build such a general API.

In the absence of this API, I think there are some workarounds that developers can deploy in similar cases. E.g. to detect configurations like <iframe sandbox="allow-scripts allow-forms"> you could check for window.origin == null (which is true for sandboxes without allow-same-origin). But if we assume that the embedder used a sandbox with all the sandboxing flags except allow-storage-access-by-user-activation then I don't think this would work.