[FYI] Auto granting SAA requests in Android WebView via DAL

Hey all,

I wanted to give an FYI regarding WebView support for Storage Access API (SAA). While it is mentioned in the SAA with Prompts thread that WebView is not supported, SAA is callable from WebView and will determine results based on whether the Android application has enabled third party cookies (3PCs) for WebView. Ie: hasStorageAccess will return true, and requestStorageAccess will return granted when 3PCs are enabled.

I plan to now officially support SAA for specific auto-granted scenarios in WebView. WebView doesn’t have explicit UX outside of the web content besides some rare edge cases so prompts are difficult to provide as we would ultimately have to delegate that to the Android developer. For that reason, the plan is to initially only support auto granting requestStorageAccess and requestStorageAccessFor in WebView.

The auto grants will use two way verification via Digital Asset Links to determine if the Android app is loading a web page it has a strong relationship with - for example, I could make an app and have it load my own website. This will mean that Android developers will no longer need to enable 3PCs for all websites when they only need 3PCs on their own websites. This is good for both privacy and security.

The only difference in spec we are considering is whether it is necessary to have user activation in this context. It is also being discussed if prior top level interaction should be part of the spec; we will deviate here and propose a WebView carve out.

Let me know if you have any concerns or questions.