Get Inspired
Docs
Blog
Articles

Participate in the origin trial for non-cookie storage access through the Storage Access API

Published on

Helen Cho
Helen Cho

Helen is a product manager at Google.

Ari Chivukula
Ari Chivukula

Senior Software Engineer

Twitter GitHub

Chrome 115 introduced changes to storage, service workers, and communication APIs by partitioning in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts are also isolated by the site of the top-level context.

Sites that haven't had time to implement support for third-party storage partitioning are able to take part in a deprecation trial to temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs, in content embedded on their site. This deprecation trial is set to expire with the release of Chrome 127 on September 3, 2024. Note that this is separate from the deprecation trial for access to third-party cookies: this is just for access to storage.

As a long-term solution to address certain use cases disrupted by third-party non-cookie storage partitioning, Chrome is proposing the ability for third parties to request storage/communication access (both cookie and non-cookie) through the Storage Access API (shipping as of Chrome 117), which already allows third parties to request cookie access.

As of Chrome 120, this proposal will be available for experimentation through an origin trial. Developers should participate in this origin trial to evaluate how the proposed solution addresses their use cases to ensure they are prepared before the deprecation trial ends.

Origin trial details

Beginning in Chrome 120, Chrome will support an origin trial,StorageAccessAPIBeyondCookies, to enable the proposed extension of the Storage Access API (backwards compatible) to allow access to unpartitioned storage (cookie and non-cookie) in a third-party context.

Mechanics

The API can be used as follows (JavaScript running in an embedded iframe):

// Request a new storage handle via rSA (this should prompt the user)
const handle = await document.requestStorageAccess({all: true});
// Write some 1P context sessionStorage
handle.sessionStorage.setItem('userid', '1234');
// Write some 1P context localStorage
handle.localStorage.setItem('preference', 'A');
// Open or create an indexedDB that is shared with the 1P context
const messageDB = handle.indexedDB.open('messages');
// Use locks shared with the 1P context
await handle.locks.request('example', ...);

If you want just specific API access rather than access to all you can pass the names of just the API handles you need. For example you could pass {sessionStorage: true} to just get access to sessionStorage, or {indexedDB: true, locks:true} to get access to IndexedDB and Web Locks.

Beyond calling this additional extension, access to non-cookie storage would match the current requirements for cookie access through the Storage Access API. For example, in Chrome, no prompt is shown when the origins are in the same Related Website Set (RWS, the new name for First Party Sets). Origins that are not part of the same RWS would be subject to the prompting requirements of the Storage Access API in Chrome.

Duration

The origin trial will be available from Chrome 120 until Chrome 124 (or after June 25, 2024 in any milestone).

Scope

Only DOM Storage (session and local storage), Indexed DB, and Web Locks will be available initially, but other storage and communication mechanisms will be added to the origin trial in future milestones. This blog post will be updated to reflect additions and the milestones in which they will be available. Feedback from developers would aid us in prioritizing specific mechanisms for inclusion.

Participate

  1. Assess how you use cookie and non-cookie storage in a third-party context. The example use cases may help in understanding whether this proposal may fit your needs.
  2. Launch Chrome version 120 (or later) and ensure the ThirdPartyStoragePartitioning flag is enabled.
  3. Register for the StorageAccessAPIBeyondCookies** origin trial and get a token for your domains.
    1. For more detailed instructions, visit Get started with origin trials. The guide to troubleshooting Chrome origin trials provides a full checklist for ensuring your token is correctly configured.
  4. Embed that origin trial token in the iframe you wish to use the Storage Access API handle within, via an HTTP header, HTML meta tag, or programmatically. Note that the token must be embedded by any frame that wishes to use this API, embedding it in the parent frame won't enable the API in child frames.
  5. Migrate the storage related in your iframe to use the Storage Access API handle if it's available (for example, calls to window.sessionStorage.setItem(`...)` become handle.sessionStorage.setItem(...).
  6. Open your website and verify that the storage access handle is working as intended.
  7. To stop participating in the origin trial, remove the token you added in step 3.
  8. Submit feedback or raise any issues you encounter to the Storage Access API Non-Cookie Storage GitHub repository.

Additional resources

Published on Improve article

Next

Request additional migration time with the third-party cookie deprecation trial

This site uses cookies to deliver and enhance the quality of its services and to analyze traffic. If you agree, cookies are also used to serve advertising and to personalize the content and advertisements that you see. Learn more about our use of cookies.