Help Confirming Understanding of Related Website Sets and Storage Access API Restrictions

[bretticus-mc]

The StorageAccessAPI requires that users must interact with an embedded site as a top-level context at least once every 30 days; otherwise, it will automatically deny the document.requestStorageAccess() call. Is top-level interaction of the embedded site still a requirement with Related Website Sets? Or will the StorageAccessAPI automatically grant access if the embedded site is included in the RWS?

[cfredric]

(Minor correction: the top-level user interaction requirement that you're referring to is not part of the Storage Access API specification, it's an additional requirement that Chrome imposes. Other browsers do not impose that requirement, to my knowledge.)

Is top-level interaction of the embedded site still a requirement with Related Website Sets? Or will the StorageAccessAPI automatically grant access if the embedded site is included in the RWS?

This section of the explainer shows the logic that Chrome follows when an iframe requests the storage-access permission. Order is significant here -- so to answer your question, no, Chrome does not require the top-level interaction when auto-granting based on RWS membership.

[bretticus-mc]

Thanks @cfredric. I don't see mention of the user gesture inside the iframe required to call document.requestStorageAccess(). Would our embedded site be able to make the SAA call and it be automatically granted if its in the RWS membership? Or does there still need to be an interaction by the user inside the iframe to trigger document.requestStorageAccess()?

[cfredric]

I don't see mention of the user gesture inside the iframe required to call document.requestStorageAccess().

The embedded user gesture requirement is step 4 in this section. That check comes before the user-agent-specific part of the algorithm (step 5, where Chrome applies the RWS-autogranting and top-level-user-interaction requirement), so the embedded user interaction is still required even if the top-level site and embedded site are part of the same RWS in Chrome. However, Chrome can still avoid showing a user prompt in the RWS case.

[bretticus-mc]

I see. What about document.requestStorageAccessFor()? It would be called from the top-level. Does there need to be some user gesture that triggers that RSAfor API call or would it automatically resolve to RWS?

[cfredric]

document.requestStorageAccessFor also requires a transient user interaction (i.e. the user must have just clicked, or pressed a key, etc.) when the JS API is called, even for intra-RWS cases.

Similar to the RWS case for document.requestStorageAccess, document.requestStorageAccessFor(site) doesn't require a previous/historical user interaction on the "embedded" site (i.e. the site argument given to the JS method).