Intent to Ship: Storage Access API, update to per-frame model

[Benjamin VanderSloot]

As of Firefox 119, I intend to update the behavior of the Storage Access API to match several updates to the specification. These updates improve the security properties of unpartitioned cookies while still supporting key use cases.

Summary: Requesting "storage access" now only affects the frame that makes the call, giving embedees finer-grained control over where unpartitioned cookies are used. To make this improvement in security, a few relaxations were made to preserve ergonomics. Namely, the scope of the storage access permission is relaxed to site-site, user activation is not needed when the permission is already granted, and same-origin self-initiated navigation preserves "storage access".

Standards Body: W3C Privacy Community Group

Specification: https://privacycg.github.io/storage-access/

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1835874

Other browsers:

  Chrome: Implemented

  Safari: Supportive, no details on implementation of the per-frame model, implemented the old model

Platform coverage: Desktop

Web Platform Tests: /storage-access-api/ has been updated to reflect this version of the Storage Access API.