diff --git a/storage-access.bs b/storage-access.bs index 759bff1..66fe7e4 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -104,8 +104,6 @@ A {{Document}} is in a first-party-site context if it is the [=active A {{Document}} is in a third party context if it is not in a [=first-party-site context=]. -ISSUE(10): If we let nested <{iframe}>s use this API, we may have to revisit these definitions. -
re
1. Let |p| be [=a new promise=].
1. If this algorithm was invoked when |doc|'s {{Window}} object did not have [=transient activation=], [=reject=] and return |p|.
1. If |doc|'s [=Document/browsing context=] is a [=top-level browsing context=], [=/resolve=] and return |p|.
-1. If |doc|'s [=Document/browsing context=]'s [=parent browsing context=] is not a [=top-level browsing context=], [=reject=] and return |p|.
+1. If |doc| is not [=allowed to use=] the `"request-storage-access"` permission, [=reject=] and return |p|.
1. If the [=top-level origin=] of |doc|'s [=relevant settings object=] is an [=opaque origin=], [=reject=] and return |p|.
1. If |doc|'s [=Document/origin=] is [=same origin=] with the [=top-level origin=] of |doc|'s [=relevant settings object=], [=/resolve=] and return |p|.
1. If |doc|'s [=Document/origin=] is an [=opaque origin=], [=reject=] and return |p|.
@@ -225,8 +223,6 @@ When invoked on {{Document}} |doc|, the re
ISSUE: Shouldn't step 3.7 be [=same site=]?
-ISSUE(10): Remove step 3.9 if we determine that nested <{iframe}>s should be able to request storage access.
-
User Agent storage access policies
Different User Agents have different policies around whether or not [=sites=] may access their [=unpartitioned data=] when they're in a [=third party context=]. User Agents check and/or modify these policies when client-side storage is accessed (see [[#storage]]) as well as when {{Document/hasStorageAccess()}} and {{Document/requestStorageAccess()}} are called.
@@ -301,7 +297,11 @@ To the [=parse a sandboxing directive=] algorithm, add the following under step
The [=sandbox storage access by user activation flag=], unless tokens contains the allow-storage-access-by-user-activation keyword.
-ISSUE(12): What about Feature Policy?
+Permissions Policy Integration
+
+The Storage Access API defines a [=policy-controlled feature=] identified by the string `"request-storage-access"`. Its [=default allowlist=] is `"*"`.
+
+ Note: A {{Document}}’s [=Document/permissions policy=] determines whether any content in that document is allowed to request storage access using {{Document/requestStorageAccess()}}. If disabled in any document, calling {{Document/requestStorageAccess()}} in that document will reject.
Privacy considerations