Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Technical review — Related website sets docs #30500

Closed
wants to merge 33 commits into from
Closed
Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
ae48e0a
Related website sets docs
chrisdavidmills Nov 24, 2023
1d98073
Merge branch 'main' into related-website-sets
chrisdavidmills Nov 27, 2023
7a00819
Rest of required content
chrisdavidmills Nov 27, 2023
0992c1c
Merge branch 'main' into related-website-sets
chrisdavidmills Nov 27, 2023
4d2b90f
Fix broken link
chrisdavidmills Nov 27, 2023
a57d3e4
Merge branch 'related-website-sets' of github.com:chrisdavidmills/con…
chrisdavidmills Nov 27, 2023
47cfab3
Updated status for RWS
chrisdavidmills Nov 27, 2023
09bdcb8
Merge branch 'main' into related-website-sets
chrisdavidmills Nov 28, 2023
e425412
Update files/en-us/web/api/document/requeststorageaccessfor/index.md
chrisdavidmills Nov 28, 2023
c2ff67d
Update files/en-us/web/api/document/requeststorageaccessfor/index.md
chrisdavidmills Nov 28, 2023
3ad1838
Update files/en-us/web/api/storage_access_api/index.md
chrisdavidmills Nov 28, 2023
9b695ce
Update files/en-us/web/api/storage_access_api/index.md
chrisdavidmills Nov 28, 2023
2aeff35
Update files/en-us/web/api/storage_access_api/index.md
chrisdavidmills Nov 28, 2023
05451cf
Update files/en-us/web/api/storage_access_api/index.md
chrisdavidmills Nov 28, 2023
ff9f8e0
Update files/en-us/web/privacy/index.md
chrisdavidmills Nov 28, 2023
32e5f26
Update files/en-us/web/api/document/requeststorageaccessfor/index.md
chrisdavidmills Nov 28, 2023
f5e45ca
Merge branch 'main' into related-website-sets
chrisdavidmills Nov 28, 2023
60457c1
Fix description list linter mess
chrisdavidmills Nov 28, 2023
dbdbea7
Fixes for cfredric tech review comments
chrisdavidmills Nov 28, 2023
000f16c
Merge branch 'main' into related-website-sets
chrisdavidmills Nov 28, 2023
2ea9508
address cfredric and tunetheweb feedback
chrisdavidmills Nov 29, 2023
908b73e
Update files/en-us/web/api/storage_access_api/using/index.md
chrisdavidmills Nov 29, 2023
a083f0c
Update files/en-us/web/api/storage_access_api/using/index.md
chrisdavidmills Nov 29, 2023
10d8db2
Update files/en-us/web/api/storage_access_api/using/index.md
chrisdavidmills Nov 29, 2023
81c4df0
Update files/en-us/web/api/storage_access_api/using/index.md
chrisdavidmills Nov 29, 2023
e61854e
Update files/en-us/web/api/document/requeststorageaccessfor/index.md
chrisdavidmills Nov 29, 2023
b8afb84
Update files/en-us/web/api/document/requeststorageaccessfor/index.md
chrisdavidmills Nov 29, 2023
281db89
Merge branch 'main' into related-website-sets
chrisdavidmills Nov 29, 2023
e3a0533
More tinkering with descriptions
chrisdavidmills Nov 29, 2023
d396b59
more small tweaks, link fix
chrisdavidmills Nov 30, 2023
c7fe6e1
Merge branch 'main' into related-website-sets
chrisdavidmills Nov 30, 2023
8f703cc
Fix quote style - single to double
chrisdavidmills Nov 30, 2023
46ead03
Merge branch 'related-website-sets' of github.com:chrisdavidmills/con…
chrisdavidmills Nov 30, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions files/en-us/web/api/document/hasstorageaccess/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ browser-compat: api.Document.hasStorageAccess

{{APIRef("Storage Access API")}}

The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to unpartitioned cookies.
The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to [third-party cookies](/en-US/docs/Web/HTTP/Cookies#third-party_cookies), [unpartitioned](/en-US/docs/Web/API/Storage_Access_API#unpartitioned_versus_partitioned_cookies) cookies.

This method is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).

Expand All @@ -24,12 +24,12 @@ None.

### Return value

A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to unpartitioned cookies — `true` if it does, and `false` if not.
A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to third-party cookies — `true` if it does, and `false` if not.

The result returned by this method can be inaccurate in a couple of circumstances:

1. The user may have browser settings active that block unpartitioned cookies entirely — in this case `true` may be returned even though unpartitioned cookies are still inaccessible. To handle such a situation, you should gracefully handle any errors resulting in cookie values being unretrievable; for example, inform the user that access to their personalized settings is blocked and invite them to sign in again to use them.
2. The browser might not block third-party cookie access by default — in this case `false` may be returned even though unpartitioned cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). To get around this issue, you could query {{domxref("Document.cookie")}} to find out whether your cookies are accessible, and call {{domxref("Document.requestStorageAccess()")}} if they are not.
1. The user may have browser settings active that block third-party cookies entirely — in this case `true` may be returned even though third-party cookies are still inaccessible. To handle such a situation, you should gracefully handle any errors resulting in cookie values being unretrievable; for example, inform the user that access to their personalized settings is blocked and invite them to sign in again to use them.
2. The browser might not block third-party cookie access by default — in this case `false` may be returned even though third-party cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). To get around this issue, you could query {{domxref("Document.cookie")}} to find out whether your cookies are accessible, and call {{domxref("Document.requestStorageAccess()")}} if they are not.

> **Note:** If the promise gets resolved and a user gesture event was being processed when the function was originally called, the resolve handler will run as if a user gesture was being processed, so it will be able to call APIs that require user activation.

Expand Down Expand Up @@ -63,5 +63,6 @@ document.hasStorageAccess().then((hasAccess) => {

## See also

- {{domxref("Document.requestStorageAccess()")}}, {{domxref("Document.requestStorageAccessFor()")}}
- [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using)
- [Introducing Storage Access API](https://webkit.org/blog/8124/introducing-storage-access-api/) (WebKit blog)
9 changes: 6 additions & 3 deletions files/en-us/web/api/document/requeststorageaccess/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,14 @@ browser-compat: api.Document.requestStorageAccess

{{APIRef("Storage Access API")}}

The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to unpartitioned cookies.
The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to third-party cookies.

This is relevant to user agents that by default block access to unpartitioned cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
This is relevant to user agents that by default block access to [third-party cookies](/en-US/docs/Web/HTTP/Cookies#third-party_cookies), [unpartitioned](/en-US/docs/Web/API/Storage_Access_API#unpartitioned_versus_partitioned_cookies) cookies to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).

> **Note:** Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. In addition, the document must pass additional browser-specific checks such as allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.

> **Note:** To check whether permission to access third-party cookies has already been granted, you can call {{domxref("Permissions.query()")}}, specifying the feature name `"storage-access"`.

## Syntax

```js-nolint
Expand All @@ -26,7 +28,7 @@ None.

### Return value

A {{jsxref("Promise")}} that fulfills with `undefined` if the access to unpartitioned cookies was granted, and rejects if access was denied.
A {{jsxref("Promise")}} that fulfills with `undefined` if the access to third-party cookies was granted, and rejects if access was denied.

`requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}), or unless permission was already granted previously. If permission was not previously granted, they need to be run inside a user gesture-based event handler. The user gesture behavior depends on the state of the promise:

Expand Down Expand Up @@ -70,5 +72,6 @@ document.requestStorageAccess().then(

## See also

- {{domxref("Document.hasStorageAccess()")}}, {{domxref("Document.requestStorageAccessFor()")}}
- [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using)
- [Introducing Storage Access API](https://webkit.org/blog/8124/introducing-storage-access-api/) (WebKit blog)
106 changes: 106 additions & 0 deletions files/en-us/web/api/document/requeststorageaccessfor/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
title: "Document: requestStorageAccessFor() method"
short-title: requestStorageAccessFor()
slug: Web/API/Document/requestStorageAccessFor
page-type: web-api-instance-method
status:
- experimental
browser-compat: api.Document.requestStorageAccessFor
---

{{APIRef("Storage Access API")}}{{seecompattable}}

The **`requestStorageAccessFor()`** method of the {{domxref("Document")}} interface allows top-level sites to request third-party cookie access on behalf of embedded content originating from another site in the same [related website set](/en-US/docs/Web/API/Storage_Access_API/Related_website_sets). It returns a {{jsxref("Promise")}} that resolves if the access was granted, and rejects if access was denied.

This is intended to address challenges in adopting the Storage Access API on top-level sites that use cross-site images or {{htmlelement("script")}} elements requiring cookies.

`requestStorageAccessFor()` is relevant to user agents that by default block access to [third-party cookies](/en-US/docs/Web/HTTP/Cookies#third-party_cookies), [unpartitioned](/en-US/docs/Web/API/Storage_Access_API#unpartitioned_versus_partitioned_cookies) cookies to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).

> **Note:** To check whether permission to access third-party cookies has already been granted via `requestStorageAccessFor()`, you can call {{domxref("Permissions.query()")}}, specifying the feature name `"top-level-storage-access"`. Note that this is different to the feature name used for the regular {{domxref("Document.requestStorageAccess()")}} method, which is `"storage-access"`.
chrisdavidmills marked this conversation as resolved.
Show resolved Hide resolved

## Syntax

```js-nolint
requestStorageAccessFor(requestedOrigin)
chrisdavidmills marked this conversation as resolved.
Show resolved Hide resolved
```

### Parameters

- `requestedOrigin`
- : A string representing the URL of the origin you are requesting third-party cookie access for.

### Return value

A {{jsxref("Promise")}} that fulfills with `undefined` if the access to third-party cookies was granted, and rejects if access was denied.

`requestStorageAccessFor()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}), or unless permission was already granted previously. If permission was not previously granted, they need to be run inside a user gesture-based event handler. The user gesture behavior depends on the state of the promise:

- If the promise resolves (i.e. if permission was granted), then the user gesture has not been consumed, so the script can subsequently call APIs that require a user gesture.
- If the promise rejects (i.e. permission was not granted), then the user gesture has been consumed, so the script can't do anything that requires a gesture. This is intentional protection against abuse — it prevents scripts from calling `requestStorageAccessFor()` in a loop until the user accepts the prompt.
chrisdavidmills marked this conversation as resolved.
Show resolved Hide resolved

### Exceptions

- `InvalidStateError` {{domxref("DOMException")}}
- : Thrown if the current {{domxref("Document")}} is not yet active.
- `NotAllowedError` {{domxref("DOMException")}}
- : Thrown if:
- The document's window is not a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
- The document is not the top-level document.
- The document has a `null` origin.
- The supplied `requestedOrigin` is [opaque](https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque).
- The top-level site and embedded site are not in the same [related website set](/en-US/docs/Web/API/Storage_Access_API/Related_website_sets).
- The embedding {{htmlelement("iframe")}} is sandboxed, and the `allow-storage-access-by-user-activation` token is not set.
- Usage is denied by the user agent's permission request to use the API.
`TypeError`
chrisdavidmills marked this conversation as resolved.
Show resolved Hide resolved
- : Thrown if `requestedOrigin` is not a valid URL.
chrisdavidmills marked this conversation as resolved.
Show resolved Hide resolved

## Examples

```js
function rSAFor() {
if ("requestStorageAccessFor" in document) {
document.requestStorageAccessFor("https://example.com").then(
(res) => {
// Use storage access
doThingsWithCookies();
},
(err) => {
// Handle errors
},
);
}
}
```

After a successful `requestStorageAccessFor()` call, cross-site requests will include cookies if they include [CORS](/en-US/docs/Web/HTTP/CORS) / [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin), so sites may want to wait before triggering a request. Such requests must use the [`credentials: 'include'`](/en-US/docs/Web/API/fetch#credentials) option and resources must include the `crossorigin="use-credentials"` attribute.

For example:

```js
function checkCookie() {
fetch("https://example.com/getcookies.json", {
method: "GET",
credentials: "include",
})
.then((response) => response.json())
.then((json) => {
// Do something
});
}
```

> **Note:** See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for a more complete example.

## Specifications

{{Specifications}}

## Browser compatibility

{{Compat}}

## See also

- {{domxref("Document.hasStorageAccess()")}}, {{domxref("Document.requestStorageAccess()")}}
- [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using)
- [Introducing Storage Access API](https://webkit.org/blog/8124/introducing-storage-access-api/) (WebKit blog)
4 changes: 2 additions & 2 deletions files/en-us/web/api/permissions_api/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,15 @@ A non-exhaustive list of permission-aware APIs includes:
- [Payment Handler API](/en-US/docs/Web/API/Payment_Handler_API): `payment-handler`
- [Push API](/en-US/docs/Web/API/Push_API): `push`
- [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs): `accelerometer`, `gyroscope`, `magnetometer`, `ambient-light-sensor`
- [Storage Access API](/en-US/docs/Web/API/Storage_Access_API): `storage-access`
- [Storage Access API](/en-US/docs/Web/API/Storage_Access_API): `storage-access`, `top-level-storage-access`
- [Storage API](/en-US/docs/Web/API/Storage_API): `persistent-storage`
- [Web Audio Output Devices API](/en-US/docs/Web/API/Audio_Output_Devices_API): `speaker-selection`
- [Web MIDI API](/en-US/docs/Web/API/Web_MIDI_API): `midi`
- [Window Management API](/en-US/docs/Web/API/Window_Management_API): `window-management`

## Examples

We have made a simple example available called Location Finder. You can [run the example live](https://chrisdavidmills.github.io/location-finder-permissions-api/), or [view the source code on GitHub](https://github.com/chrisdavidmills/location-finder-permissions-api/tree/gh-pages).
We have created a simple example called Location Finder. You can [run the example live](https://chrisdavidmills.github.io/location-finder-permissions-api/), or [view the source code on GitHub](https://github.com/chrisdavidmills/location-finder-permissions-api/tree/gh-pages).

Read more about how it works in our article [Using the Permissions API](/en-US/docs/Web/API/Permissions_API/Using_the_Permissions_API).

Expand Down
Loading
Loading