I have been researching this issue for days now. I can't find anything on the forums, WHATWG email lists, chrome blog, etc.
I write a third-party embedded app for various customers that is embedded in sites via script tag. Pretty standard stuff. There's a lot of critical functionality that implicitly requires us being able to set local/session storage values. Our app has both a "wrapper" script that runs directly on the client page, as well as an iframe that the wrapper embeds, which runs as a child frame.
We've gotten reports that our app breaks in incognito due to the fact that sessionstorage and localstorage are unavailable, which I'm able to reproduce. I understand the concept here, that these are unavailable in incognito for third party iframes - however, I thought that third party scripts still had sandboxed access to web storage in private browsing on the main page itself.
Does anyone know definitively if web storage is simply shut off/inaccessible? I wrote a cross-document messaging system to pass attempts to access localstorage off to the parent window/wrapper script, however that doesn't seem to do the trick. I still get the errors from the wrapper saying it can't access it.
I am fully aware that there is a chrome setting to turn off this behavior but that is NOT an acceptable solution. Users should not have to change browser settings to use an application.
Its no particular code. Any attempt to use window.localstorage.setItem or window.localstorage.getItem will fail, with the error Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document. This is pretty standard behavior but I thought it wouldn't do this for third party scripts embedded on a site directly.
Thanks