Permissions-Policy: storage-access

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header storage-access directive controls whether a document loaded in a third-party context (i.e. embedded in an <iframe>) is allowed to use the Storage Access API to request access to unpartitioned cookies.

This is relevant to user agents that by default block access to unpartitioned cookies by sites loaded in a third-party context to improve privacy (for example, to prevent tracking).

Specifically, where a defined policy blocks use of this feature, Document.requestStorageAccess() calls will return a Promise that rejects with a DOMException of type NotAllowedError.


Permissions-Policy: storage-access=<allowlist>;

A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for storage-access is *.


The Storage Access API
# permissions-policy-integration

Browser compatibility

BCD tables only load in the browser

See also