From 8e3e090d6af57555e4ad047d05d2eabd4b3840d2 Mon Sep 17 00:00:00 2001 From: Chris Fredrickson Date: Wed, 5 Jun 2024 11:19:09 -0400 Subject: [PATCH 1/3] Update details on reasons for cookie access --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f1a6d54..49f777b 100644 --- a/README.md +++ b/README.md @@ -89,9 +89,11 @@ Browsers that do not support the proposed headers will still receive the appropr Sec-Fetch-Storage-Access: ``` This is a [fetch metadata request header](https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header) (with a [forbidden header name](https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)), where the `` directive is one of the following: -* `none`: the fetch's context does not have the `storage-access` permission. The header may also be omitted as a whole in this case. -* `inactive`: the fetch's context has the `storage-access` permission, but has not opted into using it. -* `active`: the fetch's context has the `storage-access` permission and has opted into using it. +* `none`: the fetch's context does not have access to unpartitioned cookies, and does not have the `storage-access` permission. The header may also be omitted as a whole in this case. +* `inactive`: the fetch's context has the `storage-access` permission, but has not opted into using it; and does not have unpartitioned cookie access through some other means. +* `active`: the fetch's context has unpartitioned cookie access. + +The user agent may omit this header on same-site requests, since those requests do not involve cross-site cookies. ### Response headers @@ -100,9 +102,9 @@ Activate-Storage-Access: ``` This is a [structured header](https://datatracker.ietf.org/doc/html/rfc8941) whose value is a [token](https://datatracker.ietf.org/doc/html/rfc8941#section-3.3.4) which is one of the following: * `load`: the server requests that the user agent activate the `storage-access` permission before continuing with the load of the resource. -* `retry`: the server requests that the user agent activate the `storage-access` permission, then retry the request. The retried request must include the `Sec-Fetch-Storage-Access: active` header. +* `retry`: the server requests that the user agent activate the `storage-access` permission, then retry the request. The retried request must include the `Sec-Fetch-Storage-Access: active` header. (This token may be ignored if the previous request did not include `Sec-Fetch-Storage-Access: inactive`.) -If the request did not include `Sec-Fetch-Storage-Access: inactive`, the user agent may ignore this header. +If the request did not include `Sec-Fetch-Storage-Access: inactive` or `Sec-Fetch-Storage-Access: active`, the user agent may ignore this header (both tokens). If the response includes this header, the user agent may renew the `storage-access` permission associated with the request context, since this is a clear signal that the embedded site is relying on the permission. From e6ce2f36c43b3dff9b511de74780f5b6a923a87b Mon Sep 17 00:00:00 2001 From: Chris Fredrickson Date: Wed, 5 Jun 2024 13:04:06 -0400 Subject: [PATCH 2/3] Adjust language around omitting request header --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 49f777b..c16c9b4 100644 --- a/README.md +++ b/README.md @@ -89,11 +89,11 @@ Browsers that do not support the proposed headers will still receive the appropr Sec-Fetch-Storage-Access: ``` This is a [fetch metadata request header](https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header) (with a [forbidden header name](https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)), where the `` directive is one of the following: -* `none`: the fetch's context does not have access to unpartitioned cookies, and does not have the `storage-access` permission. The header may also be omitted as a whole in this case. +* `none`: the fetch's context does not have access to unpartitioned cookies, and does not have the `storage-access` permission. * `inactive`: the fetch's context has the `storage-access` permission, but has not opted into using it; and does not have unpartitioned cookie access through some other means. * `active`: the fetch's context has unpartitioned cookie access. -The user agent may omit this header on same-site requests, since those requests do not involve cross-site cookies. +The user agent may omit this header on same-site requests, since those requests cannot involve cross-site cookies. The user agent must include this header on cross-site requests. ### Response headers From b99fbe1638985b94a60273a1890b963b0db540fa Mon Sep 17 00:00:00 2001 From: Chris Fredrickson Date: Wed, 5 Jun 2024 17:36:51 -0400 Subject: [PATCH 3/3] Rephrase `retry` token ignoring sentence --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c16c9b4..088efd1 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ Activate-Storage-Access: ``` This is a [structured header](https://datatracker.ietf.org/doc/html/rfc8941) whose value is a [token](https://datatracker.ietf.org/doc/html/rfc8941#section-3.3.4) which is one of the following: * `load`: the server requests that the user agent activate the `storage-access` permission before continuing with the load of the resource. -* `retry`: the server requests that the user agent activate the `storage-access` permission, then retry the request. The retried request must include the `Sec-Fetch-Storage-Access: active` header. (This token may be ignored if the previous request did not include `Sec-Fetch-Storage-Access: inactive`.) +* `retry`: the server requests that the user agent activate the `storage-access` permission, then retry the request. The retried request must include the `Sec-Fetch-Storage-Access: active` header. (The user agent must ignore the token if permission is not already granted or if unpartitioned cookies are already accessible. In other words, the user agent must ignore the token if the previous request did not include the `Sec-Fetch-Storage-Access: inactive` header.) If the request did not include `Sec-Fetch-Storage-Access: inactive` or `Sec-Fetch-Storage-Access: active`, the user agent may ignore this header (both tokens).