Sec-Fetch-Storage-Access header

Syntax

Sec-Fetch-Storage-Access: <access-status>

Directives

<access-status>

A value indicating the access status for the current fetch context. The following values are allowed (servers should ignore the header with other values):

none

The context does not have the storage-access permission or access to unpartitioned cookies.

inactive

The context has the storage-access permission, but has not opted into using it (and does not have unpartitioned cookie access through other means). If this value is set, then the Origin request header must also be set.

active

The context has unpartitioned cookie access.

Description

The Sec-Fetch-Storage-Access and Activate-Storage-Access HTTP headers together provide a mechanism for a server to activate an already granted storage-access permission for a particular context.

This allows an optional enhancement of the Storage Access API workflow that removes the need for the uncredentialed resource to be loaded. It also allows third party credentials to be sent for embedded resources such as images, rather than just embedded documents.

Storage Access API workflow

The Storage Access API provides a JavaScript Web API that allows a third party resource embedded in an <iframe> to access their cookies as though they were same-site or unpartitioned cookies.

As covered in Using the Storage Access API, the first request for an embedded page is sent without its (third party) cookies. Once loaded the embedded page calls Document.requestStorageAccess(), which prompts the user for the storage-access permission. If granted, this permission is associated with the top level sites of both the embedder and embedded pages and stored. Calling Document.requestStorageAccess() also "activates" a granted permission in the current context. The embedded page then refreshes itself. Because the permission has been granted and activated in the current context, the new request is sent with credentials.

If the user navigates to the same page in a different browser session, or opens it the page another tab, the flow above is almost exactly the same. Even though permission has already been granted, the embedded page is again requested without credentials, and Document.requestStorageAccess() still needs to be called to opt-in/activate the permission for this context. Once that happens, the embedded page refreshes itself again.

This is inefficient, because permission has already been granted, and we shouldn't need to send and load the uncredentialed resource just so that we can call Document.requestStorageAccess() to activate the permission.

Storage Access header workflow

The Sec-Fetch-Storage-Access and Activate-Storage-Access provide an HTTP-based mechanism for activating an already granted permission for a particular context. This removes the need for the uncredentialed document to be returned and loaded, just so that Document.requestStorageAccess() can be called to activate the permission.

The workflow

The Sec-Fetch-Storage-Access is first sent with the storage access status.

Examples

TBD

Specifications

Browser compatibility

See also

• Activate-Storage-Access
• Using the Storage Access API
• Fetch Metadata Request Headers playground (secmetadata.appspot.com)