Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified public/og-default.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified public/og/checklist.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified public/og/spec.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified public/og/spec/privacy.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added public/og/spec/privacy/storage-access-api.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
8 changes: 8 additions & 0 deletions src/content/changelog/2026-07-05-storage-access-api.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
title: Added a page on the Storage Access API
date: "2026-07-05"
type: added
relatedSlugs: [storage-access-api]
---

Added a page on the [Storage Access API](/spec/privacy/storage-access-api/) — the W3C Privacy Community Group standard that lets embedded cross-site content request its own unpartitioned cookies behind a user gesture, instead of asking visitors to switch off tracking protection. Marked `optional`, as it only applies to sites that embed cross-site content needing first-party state (SSO, federated identity, signed-in widgets); browsers have shipped it for years.
50 changes: 50 additions & 0 deletions src/content/spec/privacy/storage-access-api.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: "Storage Access API"
slug: storage-access-api
category: privacy
summary: "As browsers partition and block third-party cookies, embedded cross-site content uses the Storage Access API to request its own cookies behind a user gesture — instead of asking visitors to switch off tracking protection."
status: optional
order: 45
appliesTo: [all]
relatedSlugs: [third-party-scripts, cookie-consent, security/cookie-attributes, security/permissions-policy]
updated: "2026-07-05T10:00:00.000Z"
sources:
- title: "The Storage Access API"
url: "https://privacycg.github.io/storage-access/"
publisher: "W3C Privacy Community Group"
- title: "MDN — Storage Access API"
url: "https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API"
publisher: "MDN"
- title: "MDN — Document: requestStorageAccess() method"
url: "https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess"
publisher: "MDN"
---

## What it is

The Storage Access API lets cross-site content loaded in a third-party context — embedded in an `<iframe>` — request access to its own unpartitioned cookies and storage: the state it would have as a first-party document but is denied when embedded. An embed calls `document.hasStorageAccess()` to check, and `document.requestStorageAccess()`, behind a user gesture, to ask. The browser grants or denies, sometimes after prompting the user. It is standardised by the W3C Privacy Community Group and ships in Chrome, Firefox, Safari, and Edge.

## Why it matters

Browsers are phasing out unrestricted third-party cookies to stop cross-site tracking. Firefox (Total Cookie Protection) and Safari (Intelligent Tracking Prevention) partition or block them by default, and Chrome is moving the same way. That also breaks legitimate cross-site flows: single sign-on with a federated identity provider, a shared account or comment widget, or personalisation served from a sibling domain. The old workaround — telling visitors to disable tracking protection or add an exception — trades every user's privacy for one site's convenience, and increasingly does not work at all. The Storage Access API is the standards-track replacement: it restores access for the specific, legitimate case behind an explicit user gesture, without reopening the site to tracking.

## How to implement

- Reach for it only when embedded content genuinely needs its own unpartitioned cookies — SSO, federated identity, a signed-in widget. A first-party site setting its own cookies never needs it.
- From the embed, call `hasStorageAccess()`; if it is false, call `requestStorageAccess()` inside a click or tap handler — it requires transient activation (a user gesture). Await the promise, load the credentialed view on success, and degrade gracefully on rejection.
- Cookies must be `SameSite=None; Secure` to travel cross-site (see [cookie attributes](/spec/security/cookie-attributes/)), and the whole flow works only in a secure (HTTPS) context.
- The embedding page must permit it: an `allow-storage-access-by-user-activation` sandbox token on a sandboxed iframe, and no `storage-access` [Permissions-Policy](/spec/security/permissions-policy/) blocking it.
- For already-granted permissions and passive resources, the `Sec-Fetch-Storage-Access` request header and `Activate-Storage-Access` response header let the server skip a round trip; add `Vary: Sec-Fetch-Storage-Access` when you branch on it.

## Common mistakes

- Calling `requestStorageAccess()` outside a user gesture — it rejects without transient activation.
- Forgetting `SameSite=None; Secure`, so cookies are never sent even after access is granted.
- Treating a grant as permanent; grants lapse (around 30 days without interaction) and must be re-activated per context.
- Using it as a tracking loophole. Browsers gate it on prior first-party interaction and user prompts precisely to prevent that.

## Verification

- In an embedded frame, log `await document.hasStorageAccess()` before and after the request flow.
- Check the browser's storage or privacy panel for the granted `storage-access` permission, keyed to `<top-level site, embedded site>`.
- Confirm the credentialed request carries cookies in the DevTools network panel, and that `Sec-Fetch-Storage-Access` reports `none` / `inactive` / `active` as expected.
2 changes: 1 addition & 1 deletion src/content/spec/privacy/third-party-scripts.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ summary: "Every script loaded from another domain can read cookies, see the URL,
status: recommended
order: 40
appliesTo: [all]
relatedSlugs: [cookie-consent, analytics-privacy, security/content-security-policy, security/subresource-integrity]
relatedSlugs: [cookie-consent, analytics-privacy, storage-access-api, security/content-security-policy, security/subresource-integrity]
updated: "2026-05-29T09:13:20.000Z"
sources:
- title: "MDN — Content Security Policy (CSP)"
Expand Down
2 changes: 1 addition & 1 deletion src/content/spec/security/cookie-attributes.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ summary: "Every cookie should be Secure, HttpOnly where possible, and have an ex
status: required
order: 100
appliesTo: [all]
relatedSlugs: [https-tls, hsts, frame-ancestors, referrer-policy, clear-site-data]
relatedSlugs: [https-tls, hsts, frame-ancestors, referrer-policy, clear-site-data, privacy/storage-access-api]
updated: "2026-05-29T09:13:20.000Z"
sources:
- title: "draft-ietf-httpbis-rfc6265bis — Cookies: HTTP State Management Mechanism"
Expand Down
2 changes: 1 addition & 1 deletion src/content/spec/security/permissions-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ summary: "Permissions-Policy lets you turn off powerful browser features — cam
status: recommended
order: 80
appliesTo: [all]
relatedSlugs: [content-security-policy, frame-ancestors, referrer-policy, cross-origin-isolation, reporting-endpoints]
relatedSlugs: [content-security-policy, frame-ancestors, referrer-policy, cross-origin-isolation, reporting-endpoints, privacy/storage-access-api]
updated: "2026-05-29T09:13:20.000Z"
sources:
- title: "Permissions Policy (W3C Working Draft)"
Expand Down
Loading