Document: requestStorageAccess() method
Baseline
2023
*
Newly available
Since December 2023, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
* Some parts of this feature may have varying levels of support.
The requestStorageAccess() method of the Document interface allows content loaded in a third-party context (i.e., embedded in an <iframe>) to request access to third-party cookies and unpartitioned state.
This is relevant to user agents that, by default, block access to third-party, unpartitioned cookies to improve privacy (e.g., to prevent tracking), and is part of the Storage Access API.
To check whether permission to access third-party cookies has already been granted, you can call Permissions.query(), specifying the feature name "storage-access".
After an embed has activated storage-access permission via requestStorageAccess(), it should reload itself.
The browser will re-request the resource with third-party unpartitioned cookies included, and make them available to the embedded resource once it has loaded.
Third-party cookies are sent only with requests to the embedded resource's exact origin.
Other origins within the same site that wish to access their third-party cookies will need to activate the granted storage-access permission.
The storage access headers should be used for activating a granted storage-access permission.
Note that the headers can activate a granted permission for any embedded resource, such as credentialed images, not just code embedded in an <iframe>.
It is also possible to activate a granted permission for a cross-origin, same-site endpoint by calling requestStorageAccess() (this time without the requirement for transient activation).
However, this only works to activate permission for embedded code.
It is also less efficient than using the headers, because the resource needs to be loaded in order to activate the permission.
Note:
Usage of this feature may be blocked by a storage-access Permissions Policy set on your server. In addition, the document must pass additional browser-specific checks such as allowlists, blocklists, on-device classification, user settings, anti-clickjacking heuristics, or prompting the user for explicit permission.
Syntax
requestStorageAccess()
requestStorageAccess(types)
Parameters
typesOptional-
An object containing properties that control what unpartitioned state is made accessible. If not specified, the default value of the property is
false. Available properties are as follows:all-
A boolean specifying all possible unpartitioned states should be made accessible.
-
A boolean specifying third-party cookies should be made accessible.
sessionStorage-
A boolean specifying
StorageAccessHandle.sessionStorageshould be made accessible. localStorage-
A boolean specifying
StorageAccessHandle.localStorageshould be made accessible. indexedDB-
A boolean specifying
StorageAccessHandle.indexedDBshould be made accessible. locks-
A boolean specifying
StorageAccessHandle.locksshould be made accessible. caches-
A boolean specifying
StorageAccessHandle.cachesshould be made accessible. getDirectory-
A boolean specifying
StorageAccessHandle.getDirectory()should be made accessible. estimate-
A boolean specifying
StorageAccessHandle.estimate()should be made accessible. createObjectURL-
A boolean specifying
StorageAccessHandle.createObjectURL()should be made accessible. revokeObjectURL-
A boolean specifying
StorageAccessHandle.revokeObjectURL()should be made accessible. BroadcastChannel-
A boolean specifying
StorageAccessHandle.BroadcastChannel()should be made accessible. -
A boolean specifying
StorageAccessHandle.SharedWorker()should be made accessible.
Return value
A Promise that fulfills with undefined if the access to third-party cookies was granted and no types parameter was provided, fulfills with StorageAccessHandle if the access to unpartitioned state requested by the types parameter was provided, and rejects if access was denied.
requestStorageAccess() requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click (transient activation), or unless permission was already granted previously. If permission was not previously granted, they need to be run inside a user gesture-based event handler. The user gesture behavior depends on the state of the promise:
- If the promise resolves (i.e., if permission was granted), then the user gesture has not been consumed, so the script can subsequently call APIs that require a user gesture.
- If the promise rejects (i.e., permission was not granted), then the user gesture has been consumed, so the script can't do anything that requires a gesture. This is intentional protection against abuse — it prevents scripts from calling
requestStorageAccess()in a loop until the user accepts the prompt.
Exceptions
InvalidStateErrorDOMException-
Thrown if:
- The current
Documentis not yet active. - The
typesparameter is provided and all of its properties arefalse.
- The current
NotAllowedErrorDOMException-
Thrown if:
- The document's window is not a secure context.
- Usage is blocked by a
storage-accessPermissions Policy. - The document or the top-level document has a
nullorigin. - The embedding
<iframe>is sandboxed, and theallow-storage-access-by-user-activationtoken is not set. - Usage is denied by the user agent's permission request to use the API.
Examples
Basic usage
document.requestStorageAccess().then(
() => {
console.log("cookie access granted");
},
() => {
console.log("cookie access denied");
},
);
document.requestStorageAccess({ localStorage: true }).then(
(handle) => {
console.log("localStorage access granted");
handle.localStorage.setItem("foo", "bar");
},
() => {
console.log("localStorage access denied");
},
);
Note: See Using the Storage Access API for a more complete example.
Specifications
| Specification |
|---|
| The Storage Access API # dom-document-requeststorageaccess |