privacycg · johannhof · Jun 9, 2021 · May 5, 2021 · Jun 3, 2021 · Jun 9, 2021
diff --git a/storage-access.bs b/storage-access.bs
@@ -104,8 +104,6 @@ A {{Document}} is in a <dfn>first-party-site context</dfn> if it is the [=active
 
 A {{Document}} is in a <dfn>third party context</dfn> if it is not in a [=first-party-site context=].
 
-ISSUE(10): If we let nested <{iframe}>s use this API, we may have to revisit these definitions.
-
 <h3 id="ua-state">User Agent state related to storage access</h3>
 
 A <dfn>storage access map</dfn> is a [=map=] whose keys are [=partitioned storage keys=] and whose values are [=storage access flag sets=].
@@ -202,7 +200,7 @@ When invoked on {{Document}} |doc|, the <dfn export method for=Document><code>re
 1. Let |p| be [=a new promise=].
 1. If this algorithm was invoked when |doc|'s {{Window}} object did not have [=transient activation=], [=reject=] and return |p|.
 1. If |doc|'s [=Document/browsing context=] is a [=top-level browsing context=], [=/resolve=] and return |p|.
-1. If |doc|'s [=Document/browsing context=]'s [=parent browsing context=] is not a [=top-level browsing context=], [=reject=] and return |p|.
+1. If |doc| is not [=allowed to use=] the `"request-storage-access"` permission, [=reject=] and return |p|.
 1. If the [=top-level origin=] of |doc|'s [=relevant settings object=] is an [=opaque origin=], [=reject=] and return |p|. <!-- https://github.com/privacycg/storage-access/issues/40 -->
 1. If |doc|'s [=Document/origin=] is [=same origin=] with the [=top-level origin=] of |doc|'s [=relevant settings object=], [=/resolve=] and return |p|.
 1. If |doc|'s [=Document/origin=] is an [=opaque origin=], [=reject=] and return |p|.
@@ -225,8 +223,6 @@ When invoked on {{Document}} |doc|, the <dfn export method for=Document><code>re
 
 ISSUE: Shouldn't step 3.7 be [=same site=]?
 
-ISSUE(10): Remove step 3.9 if we determine that nested <{iframe}>s should be able to request storage access.
-
 <h4 id="ua-policy">User Agent storage access policies</h4>
 
 Different User Agents have different policies around whether or not [=sites=] may access their [=unpartitioned data=] when they're in a [=third party context=]. User Agents check and/or modify these policies when client-side storage is accessed (see [[#storage]]) as well as when {{Document/hasStorageAccess()}} and {{Document/requestStorageAccess()}} are called.
@@ -301,7 +297,11 @@ To the [=parse a sandboxing directive=] algorithm, add the following under step
 <li>The [=sandbox storage access by user activation flag=], unless <var ignore>tokens</var> contains the <dfn export attr-value for=iframe/sandbox>allow-storage-access-by-user-activation</dfn> keyword.
 </ul>
 
-ISSUE(12): What about Feature Policy?
+<h2 id="permissions-policy-integration">Permissions Policy Integration</h2>
+
+The Storage Access API defines a [=policy-controlled feature=] identified by the string `"request-storage-access"`. Its [=default allowlist=] is `"*"`.
+
+    Note: A {{Document}}’s [=Document/permissions policy=] determines whether any content in that document is allowed to request storage access using {{Document/requestStorageAccess()}}. If disabled in any document, calling {{Document/requestStorageAccess()}} in that document will reject.
 
 <h2 id="privacy">Privacy considerations</h2>