Skip to content

Chrome 141/Firefox 140 storage access activation per origin #28682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chrisdavidmills wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Chrome 141/Firefox 140 storage access activation per origin #28682

chrisdavidmills wants to merge 10 commits into from
+40 −1

Conversation

@chrisdavidmills
Copy link
Contributor

@chrisdavidmills chrisdavidmills commented Dec 16, 2025
edited
Loading

Summary

While using the Storage Access API, when embedded content activates a previously-granted storage-access permission via the requestStorageAccess() method, 3rd party cookies are now only sent with requests to the calling embed's exact origin.

Previously, 3rd party cookies were sent with requests to the calling embed's site.

This behavioral change has occurred in:

This PR adds notes in relevant places to document this change.

cc @cfredric / @hamishwillee — I'd appreciate your input on this one, folks.

Test results and supporting details

Related issues

@github-actions github-actions bot added data:http Compat data for HTTP features. https://developer.mozilla.org/docs/Web/HTTP data:api Compat data for Web APIs. https://developer.mozilla.org/docs/Web/API size:s [PR only] 7-24 LoC changed labels Dec 16, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 16, 2025
edited
Loading

Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs).

cfredric
cfredric reviewed Dec 16, 2025
View reviewed changes
@github-actions github-actions bot removed the data:http Compat data for HTTP features. https://developer.mozilla.org/docs/Web/HTTP label Dec 17, 2025
cfredric
cfredric approved these changes Dec 17, 2025
View reviewed changes
Copy link

@cfredric cfredric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chrome details LGTM!

@chrisdavidmills
Copy link
Contributor Author

chrisdavidmills commented Jan 5, 2026

Hi @caugner! Do you have time to look at this one?

caugner
caugner requested changes Jan 13, 2026
View reviewed changes
@github-actions github-actions bot added size:m [PR only] 25-100 LoC changed and removed size:s [PR only] 7-24 LoC changed labels Jan 14, 2026
caugner
caugner requested changes Jan 14, 2026
View reviewed changes
@github-actions github-actions bot added size:s [PR only] 7-24 LoC changed and removed size:m [PR only] 25-100 LoC changed labels Jan 14, 2026
caugner
caugner reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we actually move this into a behavioral subfeature? (This sounds like a spec change!?)

api/Document.json Outdated
"firefox": {
"version_added": "65"
"version_added": "65",
"notes": "From version 140 onwards, activating the `storage-access` permission via `requestStorageAccess()` results in third-party cookies being sent only with requests to the calling embed's exact origin (see [bug 1965817](https://bugzil.la/1965817)). Before version 140, it resulted in third-party cookies being sent with requests to the calling embed's site."
Copy link
Contributor

@caugner caugner Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I asked internally for confirmation that this is the right bug.

@cfredric
Copy link

cfredric commented Jan 14, 2026

(This sounds like a spec change!?)

Yup - the corresponding spec change was privacycg/storage-access#213.

@caugner
Copy link
Contributor

caugner commented Jan 15, 2026

Yup - the corresponding spec change was privacycg/storage-access#213.

Thanks! Based on that, the subfeature could be called strict_same_origin_policy.

@chrisdavidmills
Copy link
Contributor Author

chrisdavidmills commented Jan 15, 2026
edited
Loading

Yup - the corresponding spec change was privacycg/storage-access#213.

Thanks! Based on that, the subfeature could be called strict_same_origin_policy.

To clarify, how would you represent this in the current setup? This isn't a separate feature; it's represented as notes hanging off the requestStorageAccess() feature.

@caugner
Copy link
Contributor

caugner commented Jan 15, 2026

To clarify, how would you represent this in the current setup? This isn't a separate feature; it's represented as notes hanging off the requestStorageAccess() feature.

I would add a subfeature api.Document.requestStorageAccess.strict_same_origin_policy with the description explaining the new behavior.

@github-actions github-actions bot added size:m [PR only] 25-100 LoC changed and removed size:s [PR only] 7-24 LoC changed labels Jan 16, 2026
@chrisdavidmills
Copy link
Contributor Author

chrisdavidmills commented Jan 16, 2026

To clarify, how would you represent this in the current setup? This isn't a separate feature; it's represented as notes hanging off the requestStorageAccess() feature.

I would add a subfeature api.Document.requestStorageAccess.strict_same_origin_policy with the description explaining the new behavior.

OK, I've done so.

caugner
caugner requested changes Jan 16, 2026
View reviewed changes
api/Document.json Outdated
"notes": "Client-side storage access granted per-page ([see explanation](https://developer.mozilla.org/docs/Web/API/Storage_Access_API#how_it_works))"
"notes": [
"Client-side storage access is granted per-page ([see explanation](https://developer.mozilla.org/docs/Web/API/Storage_Access_API#how_it_works)).",
"`storage-access` activation results in third-party cookies being sent with requests to the calling embed's site."
Copy link
Contributor

@caugner caugner Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either this note describes the expected behavior before the spec change (then let's remove this note), or it describes a particular Chrome behavior before the spec change (then let's remove the note to the subfeature).

Copy link
Contributor Author

@chrisdavidmills chrisdavidmills Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rats, I meant to remove that note, but forgot. Removed now.

I also updated the URL on the remaining note line to point directly at the note that explains "granted per-page", as the existing URL wasn't very effective.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@caugner caugner caugner approved these changes

+1 more reviewer

@cfredric cfredric cfredric approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

data:api Compat data for Web APIs. https://developer.mozilla.org/docs/Web/API size:m [PR only] 25-100 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrisdavidmills @cfredric @caugner