Skip to content

FF145 Storage Access HTTP headers #41614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Nov 7, 2025
Merged

FF145 Storage Access HTTP headers #41614

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
93f8b8c
FF145 Storage Access HTTP headers
hamishwillee Oct 21, 2025
765c0c3
Update files/en-us/web/http/reference/headers/sec-fetch-storage-acces…
hamishwillee Nov 4, 2025
0012f6a
Delete files/en-us/web/http/reference/headers/sec-fetch-storage-acces…
hamishwillee Nov 4, 2025
51d783d
Apply easy suggestions from code review
hamishwillee Nov 6, 2025
042495a
Apply suggestions from code review - two more easy ones
hamishwillee Nov 6, 2025
45aeaf2
Clear up activate-storage-access no permission example
hamishwillee Nov 7, 2025
6d72b30
Update files/en-us/web/http/reference/headers/activate-storage-access…
hamishwillee Nov 7, 2025
f2c3162
Storage overview - images and step alignment
hamishwillee Nov 7, 2025
44a9f1f
Access-Storage-Access - try bullet vs big para
hamishwillee Nov 7, 2025
90bee6c
Fix grammatical errors in Storage Access API documentation
chrisdavidmills Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Access-Storage-Access - try bullet vs big para
  • Loading branch information
@hamishwillee
hamishwillee committed Nov 7, 2025
commit 44a9f1fc887c4d5fe58bb9787cf829cce836d006
13 changes: 8 additions & 5 deletions files/en-us/web/http/reference/headers/activate-storage-access/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,15 @@ The resource always needs to be loaded at least once in order to be granted the
However, once granted, a server can use `Activate-Storage-Access` to activate the permission for other contexts
This avoids the need to load the resource just so that it can activate the permission by calling `Document.requestStorageAccess()`.

The way this works is that the browser adds `Sec-Fetch-Storage-Access` to requests to indicate the storage access state.
If it adds `Sec-Fetch-Storage-Access: inactive` to requests, along with the `Origin` header indicating the source of the request, the server knows that the resource has permission but that it isn't active.
The server can then respond with `Activate-Storage-Access: retry; allowed-origin="<request_origin>"` to ask the browser to activate the permission for the context and retry the request.
The browser then sends the request again, this time with `Sec-Fetch-Storage-Access: active` and including cookies, and the server responds with the credentialed version of the resource, which has access to its cookies as though it were a first-party resource.
The way this works is that:

The response must also include the {{httpheader("Vary")}} header with `Sec-Fetch-Storage-Access`.
1. The browser adds `Sec-Fetch-Storage-Access: inactive` to requests when the context has permission but it isn't active (along with the `Origin` header indicating the source of the request).
2. If the server gets `Sec-Fetch-Storage-Access: inactive` it can respond with `Activate-Storage-Access: retry; allowed-origin="<request_origin>"` to ask the browser to activate the permission for the context and retry the request.
3. If the browser gets the retry request, it activates the permission and sends the request again, this time with `Sec-Fetch-Storage-Access: active` and including cookies.
4. If the server sees a request with `Sec-Fetch-Storage-Access: active` and cookies it responds with the credentialed version of the resource.
Once loaded by the browser, this resource has access to its cookies as though it were a first-party resource.

Responses must also include the {{httpheader("Vary")}} header with `Sec-Fetch-Storage-Access`.

## Examples

Expand Down