1. Web
  2. HTTP
  3. Reference
  4. Headers
  5. Permissions-Policy
  6. storage-access

Permissions-Policy: storage-access directive

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header storage-access directive controls whether a document loaded in a third-party context (i.e., embedded in an <iframe>) is allowed to use the Storage Access API to request access to unpartitioned cookies.

This is relevant to user agents that by default block access to unpartitioned cookies by sites loaded in a third-party context to improve privacy (for example, to prevent tracking).

Specifically, where a defined policy blocks use of this feature, Document.requestStorageAccess() calls will return a Promise that rejects with a DOMException of type NotAllowedError.

Syntax

http
Permissions-Policy: storage-access=<allowlist>;
<allowlist>

A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for storage-access is *.

Specifications

Specification
The Storage Access API
# permissions-policy-integration

Browser compatibility

See also

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content