From f2198bd0f5204855101ccb1afbdff357ab5059f1 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Wed, 3 May 2023 15:03:18 +0100
Subject: [PATCH 01/11] Update Storage Access API content

---
 .../api/document/hasstorageaccess/index.md    |  7 +-
 files/en-us/web/api/document/index.md         |  2 +-
 .../document/requeststorageaccess/index.md    | 29 +++---
 .../en-us/web/api/storage_access_api/index.md | 89 ++++++++++++-------
 .../web/api/storage_access_api/using/index.md | 13 +--
 files/en-us/web/html/element/iframe/index.md  |  4 +-
 .../http/headers/permissions-policy/index.md  |  4 +
 .../storage-access/index.md                   | 43 +++++++++
 8 files changed, 139 insertions(+), 52 deletions(-)
 create mode 100644 files/en-us/web/http/headers/permissions-policy/storage-access/index.md

diff --git a/files/en-us/web/api/document/hasstorageaccess/index.md b/files/en-us/web/api/document/hasstorageaccess/index.md
index 57b15f9da0cdbb8..e5c2a52cb576421 100644
--- a/files/en-us/web/api/document/hasstorageaccess/index.md
+++ b/files/en-us/web/api/document/hasstorageaccess/index.md
@@ -8,7 +8,7 @@ browser-compat: api.Document.hasStorageAccess
 
 {{APIRef("Storage Access API")}}
 
-The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party storage.
+The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party client-side storage.
 
 This method is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
 
@@ -28,6 +28,11 @@ A {{jsxref("Promise")}} that resolves with a boolean value indicating whether th
 
 If the promise gets resolved and a user gesture event was being processed when the function was originally called, the resolve handler will run as if a user gesture was being processed, so it will be able to call APIs that require user activation.
 
+### Exceptions
+
+- `InvalidStateError` {{domxref("DOMException")}}
+  - : Thrown if the current {{domxref("Document")}} is not yet active.
+
 ## Examples
 
 ```js
diff --git a/files/en-us/web/api/document/index.md b/files/en-us/web/api/document/index.md
index 0bdb3d029d7efe5..fb81a611e123889 100644
--- a/files/en-us/web/api/document/index.md
+++ b/files/en-us/web/api/document/index.md
@@ -257,7 +257,7 @@ _This interface also inherits from the {{DOMxRef("Node")}} and {{DOMxRef("EventT
 - {{DOMxRef("Document.replaceChildren()")}}
   - : Replaces the existing children of a document with a specified new set of children.
 - {{DOMxRef("Document.requestStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves if the access to first-party storage was granted, and rejects if access was denied.
+  - : Allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to its client-side storage, in cases where user agents by default block access to client-side storage by sites loaded in a third-party context to improve privacy.
 - {{domxref("Document.startViewTransition()")}} {{Experimental_Inline}}
   - : Starts a new {{domxref("View Transitions API", "view transition", "", "nocode")}} and returns a {{domxref("ViewTransition")}} object to represent it.
 - {{DOMxRef("Document.mozSetImageElement()")}} {{Non-standard_Inline}}
diff --git a/files/en-us/web/api/document/requeststorageaccess/index.md b/files/en-us/web/api/document/requeststorageaccess/index.md
index 7f13972b8fb79f2..3fecdcc7692e4d7 100644
--- a/files/en-us/web/api/document/requeststorageaccess/index.md
+++ b/files/en-us/web/api/document/requeststorageaccess/index.md
@@ -6,11 +6,13 @@ page-type: web-api-instance-method
 browser-compat: api.Document.requestStorageAccess
 ---
 
-{{APIRef("Storage Access API")}}
+{{APIRef("DOM")}}
 
-The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves if the access to first-party storage was granted, and rejects if access was denied.
+The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to its client-side storage.
 
-This is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
+This is relevant to user agents that by default block access to client-side storage by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
+
+> **Note:** Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. In addition, the document must pass additional browser-specific checks such as allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
 
 ## Syntax
 
@@ -31,6 +33,17 @@ When the promise gets resolved, the resolve handler will run as if a user gestur
 - In the former case, code can then start to call APIs that require user activation and things can move forward.
 - In the latter case, code can run to inform the user of why the request failed and what they can do to continue (for example asking them to log in, if that is a requirement).
 
+### Exceptions
+
+- `InvalidStateError` {{domxref("DOMException")}}
+  - : Thrown if the current {{domxref("Document")}} is not yet active.
+- `NotAllowedError` {{domxref("DOMException")}}
+  - : Thrown if:
+    - The document's window is not a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
+    - Usage is blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy).
+    - The document or the top-level document has a `null` origin.
+    - The embedding {{htmlelement("iframe")}} is sandboxed, and the `allow-storage-access-by-user-activation` token is not set.
+
 ## Examples
 
 ```js
@@ -44,16 +57,6 @@ document.requestStorageAccess().then(
 );
 ```
 
-## Security
-
-Access to cross-site cookies is granted to iframes based on a number of prerequisites:
-
-1. The browser must be processing a user gesture ({{Glossary("transient activation")}}).
-2. The document or the top-level document must not have a null origin.
-3. The document's window must be a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
-4. If the document is sandboxed, it must have the `allow-storage-access-by-user-activation` token.
-5. The document must pass additional browser-specific checks. Examples: allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
-
 ## Specifications
 
 {{Specifications}}
diff --git a/files/en-us/web/api/storage_access_api/index.md b/files/en-us/web/api/storage_access_api/index.md
index c8b7d84ef5ad811..f9cccae3f745438 100644
--- a/files/en-us/web/api/storage_access_api/index.md
+++ b/files/en-us/web/api/storage_access_api/index.md
@@ -9,56 +9,89 @@ browser-compat:
 
 {{DefaultAPISidebar("Storage Access API")}}
 
-The Storage Access API provides a way for embedded, cross-origin content to gain unrestricted access to storage that it would normally only have access to in a first-party context (we refer to this as an origin's _first-party_ storage).
+The Storage Access API provides a way for cross-origin content loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to gain access to client-side storage that it would normally only have access to in a first-party context (i.e. when loaded directly in a browser tab; we refer to this as an origin's _first-party_ storage).
 
-The API provides methods that allow embedded resources to check whether they currently have access to their first-party storage, and to request access to their first-party storage from the user agent.
+This is relevant to user agents that by default block access to client-side storage by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking). There are legitimate uses of first-party client-side storage access by third-party content that we still want to enable, even with these default restrictions in place. Examples include SSO with federated IdPs, or persisting user details across different sites such as location data or viewing preferences.
+
+The API provides methods that allow embedded resources to check whether they currently have access to their first-party client-side storage, and to request access to their first-party storage from the user agent.
+
+> **Note:** Bear in mind that when we say "first-party client-side storage" in this documentation, we are basically talking about access to cookies. We have however written it with a more generic focus, as it may be useful for other forms of client-side storage in the future.
 
 ## Concepts and usage
 
-Most browsers implement a number of storage access policies that restrict access to cookies and site data for embedded, cross-origin resources. These restrictions range from giving embedded resources under each top-level origin a unique storage space to outright blocking of storage access when resources are loaded in a third-party context.
+Most browsers implement a number of storage access features and policies that restrict access to cookies and site data for embedded, cross-origin resources. These range from giving embedded resources under each top-level origin a unique storage space (see for example [Cookies Having Independent Partitioned State (CHIPS)](/en-US/docs/Web/Privacy/Partitioned_cookies)) to outright blocking of storage access when resources are loaded in a third-party context.
+
+The semantics around third-party cookie blocking features/policies differ from browser to browser, but the core functionality is similar: cross-origin resources embedded in a third-party context are not given access to the same cookies and site storage that they would have access to when loaded in a first-party context. This is done with good intent — browser vendors want to take steps to better protect their user's privacy and security, for example leaving them less open to having their activity tracked across different sites, and less vulnerable to exploits such as cross-site request forgery ({{glossary("CSRF")}}).
+
+However, there are legitimate uses for embedded cross-origin content accessing its first-party storage, which the above features/policies are known to break. As an example, federated logins often require access to authentication cookies stored in first-party storage, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. As a result, site owners often encourage users to add their site as an exception or to disable such policies entirely. Users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
+
+The Storage Access API is intended to solve this problem; embedded cross-origin content can request unrestricted access to its first-party storage on a frame-by-frame basis, for a particular top-level embedding site, via the {{domxref("Document.requestStorageAccess()")}} method. It can also check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
+
+## How it works
 
-The semantics around third-party cookie blocking policies in particular differ from browser to browser, but the core functionality is similar: cross-origin resources embedded in a third-party context are not given access to the same cookies and site storage that they would have access to when loaded in a first-party context.
+As explained above, modern browsers implement various features and policies to restrict or block access to first-party storage by embedded content. Such content that has a legitimate need for first-party storage access can get around this problem as follows:
 
-These cookie blocking policies are known to break embedded cross-origin content that requires access to its first-party storage. As an example, federated logins often require access to authentication cookies stored in first-party storage, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. In the case of breakage, site owners have often encouraged users to add their site as an exception or to disable the policy entirely. As a consequence, users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
+1. It can call the {{domxref("Document.hasStorageAccess()")}} method to check whether it has the access it needs already.
+2. If not, it can request access via the {{domxref("Document.requestStorageAccess()")}} method.
+3. Depending on the browser, the user will be asked whether to grant storage access to the requesting embed in slightly differing ways.
+   - Safari shows prompts for all embedded tracking content that has not previously received storage access.
+   - Firefox only prompts users after a tracking origin has requested storage access on more than a threshold number of sites.
+   - At the time of writing, Chrome doesn't prompt the user. Instead, it only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href='https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/'>first-party set</a>. This behavior will change as the implementation is developed further.
+4. Access is granted or denied based on whether the content meets all the security requirements (see [Security measures](#security_measures), below). The {{jsxref("Promise")}}-based nature of `requestStorageAccess()` allows you to run code to handle success and failure cases.
+   - Modern spec behavior dictates that access is granted **per-frame** — every separate content embed has its access blocked by default, and needs to call `requestStorageAccess()` to opt in to access. If a content embed has received access, and same-site embeds then call `requestStorageAccess()`, their promises will fulfill automatically. But they still need to opt in.
+   - In older versions of the spec, the access was **per-page**. As soon as one embed received storage access via `requestStorageAccess()`, all other same-site embeds would automatically receive storage access. This was not desirable behavior from a security standpoint — if `shop.example.com` embedded `locator.users.com` to allow users to use their location info while shopping, and `locator.users.com` called `requestStorageAccess()`, `shop.example.com` and any other sites it embeds would be able to access its cookies, but also access cookies from `private.users.com`, which is not intended to be embedded. [Read more about the motivations](https://github.com/privacycg/storage-access/issues/113) behind this change.
+   - Consult the [Browser compatibility information](#browser_compatibility) to see which browsers implement which behavior.
+5. Once access is granted, a permission key is stored in the browser with the structure `<top-level site, embedded site>`. For example, if the embedding site is `embedder.com`, and the embed is `locator.example.com`, the key would be `<embedder.com, example.com>`. Same-site embeds (`docs.example.com`, `profile.example.com`, etc.) would then be able to call `requestStorageAccess()` and the promise would fulfill automatically, as mentioned earlier.
+   - Older versions of the spec used the more specific permission key structure `<top-level site, embedded origin>`, which meant that same-site embeds didn't match the permission key and had to go through the whole process separately.
+   - At the time of writing, only Chromium browsers had implemented the new behavior.
 
-The Storage Access API is intended to solve this problem; embedded cross-origin content can request unrestricted access to its first-party storage on a site-by-site basis via the {{domxref("Document.requestStorageAccess()")}} method, and check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
+> **Note:** See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for an implementation guide, with code examples.
 
-In addition, sandboxed {{htmlelement("iframe")}}s cannot be granted storage access by default for security reasons. The API therefore also adds the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox). The embedding website needs to add this to allow storage access requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to call the API, and execute in an origin that can have cookies:
+> **Note:** The only exception to the "blocked by default" behavior is when a content embed makes a successful `requestStorageAccess()`, but then performs a same-origin navigation (for example reloading itself). In such cases, the storage access is carried over from the previous navigation.
 
-```html
-<iframe
-  sandbox="allow-storage-access-by-user-activation
-                 allow-scripts
-                 allow-same-origin">
-  …
-</iframe>
-```
+## Security measures
 
-The API is designed to limit the potential storage exceptions to origins for which the user has shown an intent to interact. This is enforced through the following constraints:
+There are a number of different related security measures that could cause a {{domxref("Document.requestStorageAccess()")}} call to fail. Check the below list if you are having trouble getting a request to work:
 
-- Access requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click. This also prevents embedded content on the page from spamming the browser or user with excessive access requests.
-- Origins that have never been interacted with as a first party do not have a notion of first-party storage. From the user's perspective, they only have a third-party relationship with that origin. Access requests are automatically denied if the browser detects that the user hasn't interacted with the embedded content in a first-party context recently (in Firefox, "recently" is "within 30 days").
+1. The call must be associated with a user gesture ({{Glossary("transient activation")}}) such as a tap or click. This prevents embedded content on the page from spamming the browser or user with excessive access requests.
+2. The document and top-level document must not have a `null` origin.
+3. Origins that have never been interacted with as a first party do not have a notion of first-party storage. From the user's perspective, they only have a third-party relationship with that origin. Access requests are automatically denied if the browser detects that the user hasn't interacted with the embedded content in a first-party context recently (in Firefox, "recently" is "within 30 days").
+4. The document's window must be a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
+5. Sandboxed {{htmlelement("iframe")}}s cannot be granted storage access by default for security reasons. The API therefore also adds the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox). The embedding website needs to add this to allow storage access requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to call the API, and execute in an origin that can have cookies:
 
-The browser may decide to involve the user in the decision of whether to grant an incoming storage access request. Specifics regarding the lifetime of a storage grant and the circumstances under which the browser may decide to inform the user are currently being worked through and will be announced once ready.
+   ```html
+   <iframe sandbox="allow-storage-access-by-user-activation
+                   allow-scripts
+                   allow-same-origin">
+    …
+   </iframe>
+   ```
 
-## User prompts
+6. Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server.
+7. At the time of writing, Chrome only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href='https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/'>first-party set</a>. This restriction is intended to be relaxed as the implementation is developed further.
 
-When `requestStorageAccess()` is called by an embedded, cross-origin document, the user agent may choose to involve the user in the decision of whether to grant storage access to the requesting origin. Prompting heuristics currently vary across the two implementers of the Storage Access API — Safari shows prompts for all embedded tracking content that has not previously received storage access, while Firefox only prompts users after a tracking origin has requested storage access on more than a threshold number of sites. See {{domxref("Document.requestStorageAccess()")}} for more details.
+> **Note:** The document may also be required to pass additional browser-specific checks. Examples: allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
 
-## Safari implementation differences
+## Browser storage access policy variations
 
-Although the API surface is the same, websites using the Storage Access API should expect differences in the level and extent of storage access they receive between Firefox and Safari. This is caused by differences in the storage access policies implemented in the two browsers. Design properties unique to Firefox are summarized here:
+Although the API surface is the same, websites using the Storage Access API should expect differences in the level and extent of storage access they receive between different browsers, due to differences in their storage access policies.
+
+### Firefox
+
+Design properties unique to Firefox are summarized here:
 
 - If the embedded origin `tracker.example` has already obtained first-party storage access on the top-level origin `foo.example`, and the user visits a page from `foo.example` embedding a page from `tracker.example` again in less than 30 days, the embedded origin will have storage access immediately when loading.
 - If an embedded page from `tracker.example` has previously successfully obtained storage access on top-level origin `foo.example`, all embedded subresources from `tracker.example` on `foo.example` (e.g. scripts, images, stylesheets, etc.) will load with access to their first-party storage, which means they may send Cookie headers and honor incoming {{httpheader("Set-Cookie")}} headers.
 - In Firefox, when the promise returned from `requestStorageAccess()` is resolved, the embedded page will gain access to its entire first-party storage, not just cookies. This includes access to APIs such as [Web Storage](/en-US/docs/Web/API/Web_Storage_API), [IndexedDB](/en-US/docs/Web/API/IndexedDB_API), [DOM Cache](/en-US/docs/Web/API/Cache), and so on.
-- In Firefox, the storage access grants are phased out after 30 calendar days passing, whereas in Safari the storage access grants are phased out after 30 days of browser usage passed without user interaction. This is currently a limitation of the Firefox implementation, which we may address in a future version. In Safari, successful use of the storage access API resets this counter.
+- The storage access grants are phased out after 30 calendar days passing.
 
 Documentation for Firefox's new storage access policy for blocking tracking cookies includes [a detailed description](/en-US/docs/Web/Privacy/Storage_Access_Policy#storage_access_grants) of the scope of storage access grants.
 
-## Storage Access API methods
+### Safari
+
+- The storage access grants are phased out after 30 days of browser usage passed without user interaction. Successful use of the storage access API resets this counter.
 
-The storage API methods are implemented on the {{domxref("Document")}} interface:
+## API methods
 
 - {{domxref("Document.hasStorageAccess()")}}
   - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party storage.
@@ -67,10 +100,6 @@ The storage API methods are implemented on the {{domxref("Document")}} interface
 
 > **Note:** User interaction propagates to the Promise returned by both of these methods, allowing the callers to take actions that require user interaction without requiring a second click from the user. For example, a caller could open a pop-up window from the resolved Promise without triggering Firefox's pop-up blocker.
 
-## Extensions to \<iframe> sandbox
-
-The {{htmlelement("iframe")}} element's `sandbox` attribute has a new token, `allow-storage-access-by-user-activation`, which permits sandboxed `<iframe>`s to use the Storage Access API to request storage access.
-
 ## Specifications
 
 {{Specifications}}
diff --git a/files/en-us/web/api/storage_access_api/using/index.md b/files/en-us/web/api/storage_access_api/using/index.md
index cde5460ee75bf96..7bb240f572447f4 100644
--- a/files/en-us/web/api/storage_access_api/using/index.md
+++ b/files/en-us/web/api/storage_access_api/using/index.md
@@ -12,21 +12,22 @@ The [Storage Access API](/en-US/docs/Web/API/Storage_Access_API) should be used
 
 The Storage Access API is designed to allow embedded content to request access to storage that would otherwise be blocked when a user's browser is set to block all third-party cookies. Since embedded content won't know which storage policy is in use by the user, it's best to always check whether the embedded frame has storage access before attempting to read or write from storage. This is particularly true for {{domxref("Document.cookie")}} access, as browsers will often return an empty cookie jar when third-party cookies are blocked.
 
-## Accessing a user's cookies in an embedded cross-origin iframe
+In the example below, we show how an embedded cross-origin {{htmlelement("iframe")}} can access a user's cookies under a storage access policy that blocks third-party cookies.
 
-In this example we show how an embedded cross-origin {{htmlelement("iframe")}} can access a user's cookies under a storage access policy that blocks third-party cookies.
+## Allowing a sandboxed \<iframe> to use the API
 
 First of all, if the `<iframe>` is sandboxed, the embedding website needs to add the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox) to allow storage access requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to call the API, and execute in an origin that can have cookies:
 
 ```html
-<iframe
-  sandbox="allow-storage-access-by-user-activation
+<iframe sandbox="allow-storage-access-by-user-activation
                  allow-scripts
                  allow-same-origin">
   …
 </iframe>
 ```
 
+## Checking and requesting storage access
+
 Now on to the code executed inside the embedded document. Since it does not know whether it currently has access to storage, it should first call {{domxref("Document.hasStorageAccess()")}}. If that call returns `false`, we can then call {{domxref("Document.requestStorageAccess()")}}, returning the result so that then we can chain it onto the previous promise call. In the final `then`, we'll have first-party storage access.
 
 ```js
@@ -63,7 +64,9 @@ if (document.hasStorageAccess == null) {
 }
 ```
 
-Note that access requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click — so this code needs to be run inside some kind of user gesture-based event handler, for example:
+## Transient activation required
+
+Note that access requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}). The above code therefore needs to be run inside some kind of user gesture-based event handler, for example:
 
 ```js
 btn.addEventListener("click", () => {
diff --git a/files/en-us/web/html/element/iframe/index.md b/files/en-us/web/html/element/iframe/index.md
index 2712c4e1fe91a81..dfc83179e67a5b0 100644
--- a/files/en-us/web/html/element/iframe/index.md
+++ b/files/en-us/web/html/element/iframe/index.md
@@ -71,7 +71,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
 
 - `sandbox`
 
-  - : Applies extra restrictions to the content in the frame. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:
+  - : Controls the restrictions applied to the content embedded in the `<iframe>`. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:
 
     - `allow-downloads`: Allows downloading files through an {{HTMLElement("a")}} or {{HTMLElement("area")}} element with the [download](/en-US/docs/Web/HTML/Element/a#download) attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.
     - `allow-downloads-without-user-activation` {{experimental_inline}}: Allows for downloads to occur without a gesture from the user.
@@ -84,7 +84,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
     - `allow-presentation`: Allows embedders to have control over whether an iframe can start a [presentation session](/en-US/docs/Web/API/PresentationRequest).
     - `allow-same-origin`: If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs).
     - `allow-scripts`: Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
-    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Lets the resource request access to the parent's storage capabilities with the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
+    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Allows a document loaded in the `<iframe>` to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its client-side storage.
     - `allow-top-navigation`: Lets the resource navigate the top-level browsing context (the one named `_top`).
     - `allow-top-navigation-by-user-activation`: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
     - `allow-top-navigation-to-custom-protocols`: Allows navigations to non-`http` protocols built into browser or [registered by a website](/en-US/docs/Web/API/Navigator/registerProtocolHandler/Web-based_protocol_handlers). This feature is also activated by `allow-popups` or `allow-top-navigation` keyword.
diff --git a/files/en-us/web/http/headers/permissions-policy/index.md b/files/en-us/web/http/headers/permissions-policy/index.md
index 3a5b7a301d57cd2..432ceeb70c26f1e 100644
--- a/files/en-us/web/http/headers/permissions-policy/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/index.md
@@ -173,6 +173,10 @@ You can specify
 
   - : Controls whether the current document is allowed to use the [Audio Output Devices API](/en-US/docs/Web/API/Audio_Output_Devices_API) to list and select speakers.
 
+- {{httpheader("Permissions-Policy/storage-access", "storage-access")}} {{Experimental_Inline}}
+
+  - : Controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its client-side storage.
+
 - {{httpheader('Permissions-Policy/usb', 'usb')}} {{Experimental_Inline}}
 
   - : Controls whether the current document is allowed to use the [WebUSB API](https://wicg.github.io/webusb/).
diff --git a/files/en-us/web/http/headers/permissions-policy/storage-access/index.md b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
new file mode 100644
index 000000000000000..31f0c653dac4042
--- /dev/null
+++ b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
@@ -0,0 +1,43 @@
+---
+title: "Permissions-Policy: storage-access"
+slug: Web/HTTP/Headers/Permissions-Policy/storage-access
+page-type: http-permissions-policy-directive
+status:
+  - experimental
+browser-compat: http.headers.Permissions-Policy.storage-access
+---
+
+{{HTTPSidebar}}{{SeeCompatTable}}
+
+The HTTP {{HTTPHeader("Permissions-Policy")}} header `storage-access` directive controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its client-side storage.
+
+This is relevant to user agents that by default block access to client-side storage by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking).
+
+Specifically, where a defined policy blocks use of this feature, {{domxref("Document.requestStorageAccess()")}} calls will return a {{jsxref("Promise")}} that rejects with a {{domxref("DOMException")}} of type `NotAllowedError`.
+
+## Syntax
+
+```http
+Permissions-Policy: storage-access=<allowlist>;
+```
+
+- `<allowlist>`
+  - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details.
+
+## Default policy
+
+The default allowlist for `storage-access` is `*`.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [Storage Access API](/en-US/docs/Web/API/Storage_Access_API)
+- {{HTTPHeader("Permissions-Policy")}} header
+- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy)

From bfd37676469d238ef0f06ff2214b7c06d6d04a40 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 9 May 2023 11:18:03 +0100
Subject: [PATCH 02/11] Making fixes for cfredric review comments

---
 .../api/document/hasstorageaccess/index.md    | 13 ++-
 files/en-us/web/api/document/index.md         |  4 +-
 .../document/requeststorageaccess/index.md    | 14 ++--
 .../en-us/web/api/storage_access_api/index.md | 61 ++++++++------
 .../web/api/storage_access_api/using/index.md | 79 +++++++++++--------
 files/en-us/web/html/element/iframe/index.md  |  2 +-
 .../http/headers/permissions-policy/index.md  |  2 +-
 .../storage-access/index.md                   |  4 +-
 8 files changed, 105 insertions(+), 74 deletions(-)

diff --git a/files/en-us/web/api/document/hasstorageaccess/index.md b/files/en-us/web/api/document/hasstorageaccess/index.md
index e5c2a52cb576421..65cde9c65cd4a0e 100644
--- a/files/en-us/web/api/document/hasstorageaccess/index.md
+++ b/files/en-us/web/api/document/hasstorageaccess/index.md
@@ -8,7 +8,7 @@ browser-compat: api.Document.hasStorageAccess
 
 {{APIRef("Storage Access API")}}
 
-The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party client-side storage.
+The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies.
 
 This method is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
 
@@ -24,9 +24,14 @@ None.
 
 ### Return value
 
-A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party storage.
+A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies — `true` if it does, and `false` if not.
 
-If the promise gets resolved and a user gesture event was being processed when the function was originally called, the resolve handler will run as if a user gesture was being processed, so it will be able to call APIs that require user activation.
+The result returned by this method can be inaccurate in a couple of specific circumstances:
+
+1. The user may have browser settings active that block cookies entirely — in this case `true` may be returned even though first-party cookies are still inaccessible. To handle such a situation, you are advised to gracefully handle any errors resulting in cookie values being unretrievable, for example by telling the user that unfortunately access to their personalized settings was blocked, and inviting them to sign-in again to make use of them.
+2. The browser might not block third-party cookies by default — in this case `false` may be returned even though first-party cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). This situation will probably only arise in older browsers that don't support `hasStorageAccess()` anyway, so can be handled using feature detection.
+
+> **Note:** If the promise gets resolved and a user gesture event was being processed when the function was originally called, the resolve handler will run as if a user gesture was being processed, so it will be able to call APIs that require user activation.
 
 ### Exceptions
 
@@ -46,6 +51,8 @@ document.hasStorageAccess().then((hasAccess) => {
 });
 ```
 
+> **Note:** See [Using the Storage Access API](/docs/Web/API/Storage_Access_API/Using) for a more complete example.
+
 ## Specifications
 
 {{Specifications}}
diff --git a/files/en-us/web/api/document/index.md b/files/en-us/web/api/document/index.md
index fb81a611e123889..94652dd7ec23a0c 100644
--- a/files/en-us/web/api/document/index.md
+++ b/files/en-us/web/api/document/index.md
@@ -241,7 +241,7 @@ _This interface also inherits from the {{DOMxRef("Node")}} and {{DOMxRef("EventT
 - {{DOMxRef("Document.getSelection()")}}
   - : Returns a {{DOMxRef('Selection')}} object representing the range of text selected by the user, or the current position of the caret.
 - {{DOMxRef("Document.hasStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party storage.
+  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies.
 - {{DOMxRef("Document.importNode()")}}
   - : Returns a clone of a node from an external document.
 - {{DOMxRef("Document.prepend()")}}
@@ -257,7 +257,7 @@ _This interface also inherits from the {{DOMxRef("Node")}} and {{DOMxRef("EventT
 - {{DOMxRef("Document.replaceChildren()")}}
   - : Replaces the existing children of a document with a specified new set of children.
 - {{DOMxRef("Document.requestStorageAccess()")}}
-  - : Allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to its client-side storage, in cases where user agents by default block access to client-side storage by sites loaded in a third-party context to improve privacy.
+  - : Allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to first-party cookies, in cases where user agents by default block access to first-party cookies by sites loaded in a third-party context to improve privacy.
 - {{domxref("Document.startViewTransition()")}} {{Experimental_Inline}}
   - : Starts a new {{domxref("View Transitions API", "view transition", "", "nocode")}} and returns a {{domxref("ViewTransition")}} object to represent it.
 - {{DOMxRef("Document.mozSetImageElement()")}} {{Non-standard_Inline}}
diff --git a/files/en-us/web/api/document/requeststorageaccess/index.md b/files/en-us/web/api/document/requeststorageaccess/index.md
index 3fecdcc7692e4d7..787bcf394590f70 100644
--- a/files/en-us/web/api/document/requeststorageaccess/index.md
+++ b/files/en-us/web/api/document/requeststorageaccess/index.md
@@ -8,9 +8,9 @@ browser-compat: api.Document.requestStorageAccess
 
 {{APIRef("DOM")}}
 
-The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to its client-side storage.
+The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to its first-party cookies.
 
-This is relevant to user agents that by default block access to client-side storage by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
+This is relevant to user agents that by default block access to first-party cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
 
 > **Note:** Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. In addition, the document must pass additional browser-specific checks such as allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
 
@@ -26,12 +26,12 @@ None.
 
 ### Return value
 
-A {{jsxref("Promise")}} that fulfills with `undefined` if the access to first-party storage was granted, and rejects if access was denied.
+A {{jsxref("Promise")}} that fulfills with `undefined` if the access to first-party cookies was granted, and rejects if access was denied.
 
-When the promise gets resolved, the resolve handler will run as if a user gesture is being processed, whether the promise was fulfilled or rejected:
+`requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}). They therefore need to be run inside some kind of user gesture-based event handler. The user gesture behavior depends on the state of the promise:
 
-- In the former case, code can then start to call APIs that require user activation and things can move forward.
-- In the latter case, code can run to inform the user of why the request failed and what they can do to continue (for example asking them to log in, if that is a requirement).
+- If the promise resolves (i.e. if permission was granted), then the user gesture has not been consumed, so the script can subsequently call APIs that require a user gesture.
+- If the promise rejects (i.e. permission was not granted), then the user gesture has been consumed, so the script can't do anything that requires a gesture. This is an intentional protection against abuse — it prevents scripts from calling `requestStorageAccess()` in a loop until the user accepts the prompt.
 
 ### Exceptions
 
@@ -57,6 +57,8 @@ document.requestStorageAccess().then(
 );
 ```
 
+> **Note:** See [Using the Storage Access API](/docs/Web/API/Storage_Access_API/Using) for a more complete example.
+
 ## Specifications
 
 {{Specifications}}
diff --git a/files/en-us/web/api/storage_access_api/index.md b/files/en-us/web/api/storage_access_api/index.md
index f9cccae3f745438..1e8e39b5c3fb891 100644
--- a/files/en-us/web/api/storage_access_api/index.md
+++ b/files/en-us/web/api/storage_access_api/index.md
@@ -9,55 +9,55 @@ browser-compat:
 
 {{DefaultAPISidebar("Storage Access API")}}
 
-The Storage Access API provides a way for cross-origin content loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to gain access to client-side storage that it would normally only have access to in a first-party context (i.e. when loaded directly in a browser tab; we refer to this as an origin's _first-party_ storage).
+The Storage Access API provides a way for cross-site content loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to gain access to cookies that it would normally only have access to in a first-party context (i.e. when loaded directly in a browser tab; we refer to these as an origin's _first-party_ cookies).
 
-This is relevant to user agents that by default block access to client-side storage by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking). There are legitimate uses of first-party client-side storage access by third-party content that we still want to enable, even with these default restrictions in place. Examples include SSO with federated IdPs, or persisting user details across different sites such as location data or viewing preferences.
+This is relevant to user agents that by default block access to firsty-party cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking). There are legitimate uses of first-party cookie access by third-party content that we still want to enable, even with these default restrictions in place. Examples include SSO with federated IdPs, or persisting user details across different sites such as location data or viewing preferences.
 
-The API provides methods that allow embedded resources to check whether they currently have access to their first-party client-side storage, and to request access to their first-party storage from the user agent.
+The API provides methods that allow embedded resources to check whether they currently have access to their first-party cookies, and to request access to their first-party cookies from the user agent.
 
-> **Note:** Bear in mind that when we say "first-party client-side storage" in this documentation, we are basically talking about access to cookies. We have however written it with a more generic focus, as it may be useful for other forms of client-side storage in the future.
+> **Note:** The _Storage Access API_ name may seem like somewhat of a misnomer, given that it only provides access to cookies, and not other client-side storage mechanisms such as {{domxref("Web_Storage_API", "Web Storage", "", "nocode")}} or {{domxref("IndexedDB_API", "IndexedDB", "", "nocode")}}. The name has been kept generic because it may provide access to other forms of client-side storage in the future.
 
 ## Concepts and usage
 
-Most browsers implement a number of storage access features and policies that restrict access to cookies and site data for embedded, cross-origin resources. These range from giving embedded resources under each top-level origin a unique storage space (see for example [Cookies Having Independent Partitioned State (CHIPS)](/en-US/docs/Web/Privacy/Partitioned_cookies)) to outright blocking of storage access when resources are loaded in a third-party context.
+Most browsers implement a number of storage access features and policies that restrict access to cookies for embedded, cross-site resources. These range from giving embedded resources under each top-level origin a unique cookie storage space (see for example [Cookies Having Independent Partitioned State (CHIPS)](/en-US/docs/Web/Privacy/Partitioned_cookies)) to outright blocking of cookie access when resources are loaded in a third-party context.
 
-The semantics around third-party cookie blocking features/policies differ from browser to browser, but the core functionality is similar: cross-origin resources embedded in a third-party context are not given access to the same cookies and site storage that they would have access to when loaded in a first-party context. This is done with good intent — browser vendors want to take steps to better protect their user's privacy and security, for example leaving them less open to having their activity tracked across different sites, and less vulnerable to exploits such as cross-site request forgery ({{glossary("CSRF")}}).
+The semantics around third-party cookie blocking features/policies differ from browser to browser, but the core functionality is similar: cross-site resources embedded in a third-party context are not given access to the same cookies that they would have access to when loaded in a first-party context. This is done with good intent — browser vendors want to take steps to better protect their user's privacy and security, for example leaving them less open to having their activity tracked across different sites, and less vulnerable to exploits such as cross-site request forgery ({{glossary("CSRF")}}).
 
-However, there are legitimate uses for embedded cross-origin content accessing its first-party storage, which the above features/policies are known to break. As an example, federated logins often require access to authentication cookies stored in first-party storage, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. As a result, site owners often encourage users to add their site as an exception or to disable such policies entirely. Users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
+However, there are legitimate uses for embedded cross-site content accessing first-party cookies, which the above features/policies are known to break. As an example, federated logins often require access to authentication cookies stored in first-party storage, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. As a result, site owners often encourage users to add their site as an exception or to disable such policies entirely. Users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
 
-The Storage Access API is intended to solve this problem; embedded cross-origin content can request unrestricted access to its first-party storage on a frame-by-frame basis, for a particular top-level embedding site, via the {{domxref("Document.requestStorageAccess()")}} method. It can also check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
+The Storage Access API is intended to solve this problem; embedded cross-site content can request unrestricted access to its first-party cookies on a frame-by-frame basis, for a particular top-level embedding site, via the {{domxref("Document.requestStorageAccess()")}} method. It can also check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
 
 ## How it works
 
-As explained above, modern browsers implement various features and policies to restrict or block access to first-party storage by embedded content. Such content that has a legitimate need for first-party storage access can get around this problem as follows:
+As explained above, modern browsers implement various features and policies to restrict or block access to first-party cookies by embedded content. Such content that has a legitimate need for first-party cookie access can get around this problem as follows:
 
 1. It can call the {{domxref("Document.hasStorageAccess()")}} method to check whether it has the access it needs already.
 2. If not, it can request access via the {{domxref("Document.requestStorageAccess()")}} method.
-3. Depending on the browser, the user will be asked whether to grant storage access to the requesting embed in slightly differing ways.
+3. Depending on the browser, the user will be asked whether to grant access to the requesting embed in slightly differing ways.
    - Safari shows prompts for all embedded tracking content that has not previously received storage access.
    - Firefox only prompts users after a tracking origin has requested storage access on more than a threshold number of sites.
-   - At the time of writing, Chrome doesn't prompt the user. Instead, it only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href='https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/'>first-party set</a>. This behavior will change as the implementation is developed further.
+   - At the time of writing, Chrome doesn't prompt the user. Instead, it only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href="https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/">first-party set</a>. This behavior will change as the implementation is developed further.
 4. Access is granted or denied based on whether the content meets all the security requirements (see [Security measures](#security_measures), below). The {{jsxref("Promise")}}-based nature of `requestStorageAccess()` allows you to run code to handle success and failure cases.
-   - Modern spec behavior dictates that access is granted **per-frame** — every separate content embed has its access blocked by default, and needs to call `requestStorageAccess()` to opt in to access. If a content embed has received access, and same-site embeds then call `requestStorageAccess()`, their promises will fulfill automatically. But they still need to opt in.
-   - In older versions of the spec, the access was **per-page**. As soon as one embed received storage access via `requestStorageAccess()`, all other same-site embeds would automatically receive storage access. This was not desirable behavior from a security standpoint — if `shop.example.com` embedded `locator.users.com` to allow users to use their location info while shopping, and `locator.users.com` called `requestStorageAccess()`, `shop.example.com` and any other sites it embeds would be able to access its cookies, but also access cookies from `private.users.com`, which is not intended to be embedded. [Read more about the motivations](https://github.com/privacycg/storage-access/issues/113) behind this change.
+   - Modern spec behavior dictates that access is granted **per-frame** — every separate content embed has its cookie access blocked by default, and needs to call `requestStorageAccess()` to opt in to access. If a content embed has received access, and same-site embeds then call `requestStorageAccess()`, their promises will fulfill automatically. But they still need to opt in.
+   - In older versions of the spec, the access was **per-page**. As soon as one embed received cookie access via `requestStorageAccess()`, all other same-site embeds would automatically receive access. This was not desirable behavior from a security standpoint — for example if `shop.example.com` embedded `locator.users.com` to allow users to use their location info while shopping, and `locator.users.com` called `requestStorageAccess()`, `shop.example.com` and any other sites it embeds would be able to access its cookies, but also access cookies from `private.users.com`, which is not intended to be embedded. [Read more about the motivations](https://github.com/privacycg/storage-access/issues/113) behind this change.
    - Consult the [Browser compatibility information](#browser_compatibility) to see which browsers implement which behavior.
 5. Once access is granted, a permission key is stored in the browser with the structure `<top-level site, embedded site>`. For example, if the embedding site is `embedder.com`, and the embed is `locator.example.com`, the key would be `<embedder.com, example.com>`. Same-site embeds (`docs.example.com`, `profile.example.com`, etc.) would then be able to call `requestStorageAccess()` and the promise would fulfill automatically, as mentioned earlier.
    - Older versions of the spec used the more specific permission key structure `<top-level site, embedded origin>`, which meant that same-site embeds didn't match the permission key and had to go through the whole process separately.
    - At the time of writing, only Chromium browsers had implemented the new behavior.
 
-> **Note:** See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for an implementation guide, with code examples.
-
 > **Note:** The only exception to the "blocked by default" behavior is when a content embed makes a successful `requestStorageAccess()`, but then performs a same-origin navigation (for example reloading itself). In such cases, the storage access is carried over from the previous navigation.
 
 ## Security measures
 
 There are a number of different related security measures that could cause a {{domxref("Document.requestStorageAccess()")}} call to fail. Check the below list if you are having trouble getting a request to work:
 
-1. The call must be associated with a user gesture ({{Glossary("transient activation")}}) such as a tap or click. This prevents embedded content on the page from spamming the browser or user with excessive access requests.
+1. The call must be associated with a user gesture ({{Glossary("transient activation")}}) such as a tap or click. This prevents embedded content on the page from spamming the browser or user with excessive access requests. Note that this isn't required if:
+   - Permission to use the API has already been granted, for example by another same-site resource calling `requestStorageAccess()`.
+   - The caller is a top-level document, or same-site to the top-level document. In such cases, `requestStorageAccess()` probably doesn't need to be called at all.
 2. The document and top-level document must not have a `null` origin.
 3. Origins that have never been interacted with as a first party do not have a notion of first-party storage. From the user's perspective, they only have a third-party relationship with that origin. Access requests are automatically denied if the browser detects that the user hasn't interacted with the embedded content in a first-party context recently (in Firefox, "recently" is "within 30 days").
 4. The document's window must be a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
-5. Sandboxed {{htmlelement("iframe")}}s cannot be granted storage access by default for security reasons. The API therefore also adds the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox). The embedding website needs to add this to allow storage access requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to call the API, and execute in an origin that can have cookies:
+5. Sandboxed {{htmlelement("iframe")}}s cannot be granted storage access by default for security reasons. The API therefore also adds the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox). The embedding website needs to add this to allow storage access requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to execute a script to call the API and execute it in an origin that can have cookies:
 
    ```html
    <iframe sandbox="allow-storage-access-by-user-activation
@@ -68,37 +68,46 @@ There are a number of different related security measures that could cause a {{d
    ```
 
 6. Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server.
-7. At the time of writing, Chrome only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href='https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/'>first-party set</a>. This restriction is intended to be relaxed as the implementation is developed further.
+7. At the time of writing, Chrome only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href="https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/">first-party set</a>. This restriction is intended to be relaxed as the implementation is developed further.
 
 > **Note:** The document may also be required to pass additional browser-specific checks. Examples: allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
 
 ## Browser storage access policy variations
 
-Although the API surface is the same, websites using the Storage Access API should expect differences in the level and extent of storage access they receive between different browsers, due to differences in their storage access policies.
+Although the API surface is the same, websites using the Storage Access API should expect differences in the level and extent of cookie access they receive between different browsers, due to differences in their storage access policies.
 
 ### Firefox
 
 Design properties unique to Firefox are summarized here:
 
-- If the embedded origin `tracker.example` has already obtained first-party storage access on the top-level origin `foo.example`, and the user visits a page from `foo.example` embedding a page from `tracker.example` again in less than 30 days, the embedded origin will have storage access immediately when loading.
-- If an embedded page from `tracker.example` has previously successfully obtained storage access on top-level origin `foo.example`, all embedded subresources from `tracker.example` on `foo.example` (e.g. scripts, images, stylesheets, etc.) will load with access to their first-party storage, which means they may send Cookie headers and honor incoming {{httpheader("Set-Cookie")}} headers.
+- If the embedded origin `tracker.example` has already obtained first-party cookie access on the top-level origin `foo.example`, and the user visits a page from `foo.example` embedding a page from `tracker.example` again in less than 30 days, the embedded origin will have cookie access immediately when loading.
+- If an embedded page from `tracker.example` has previously successfully obtained cookie access on top-level origin `foo.example`, all embedded subresources from `tracker.example` on `foo.example` (e.g. scripts, images, stylesheets, etc.) will load with access to their first-party storage, which means they may send Cookie headers and honor incoming {{httpheader("Set-Cookie")}} headers.
 - In Firefox, when the promise returned from `requestStorageAccess()` is resolved, the embedded page will gain access to its entire first-party storage, not just cookies. This includes access to APIs such as [Web Storage](/en-US/docs/Web/API/Web_Storage_API), [IndexedDB](/en-US/docs/Web/API/IndexedDB_API), [DOM Cache](/en-US/docs/Web/API/Cache), and so on.
-- The storage access grants are phased out after 30 calendar days passing.
+- The storage access grants are phased out after 30 calendar days have passed.
 
 Documentation for Firefox's new storage access policy for blocking tracking cookies includes [a detailed description](/en-US/docs/Web/Privacy/Storage_Access_Policy#storage_access_grants) of the scope of storage access grants.
 
 ### Safari
 
-- The storage access grants are phased out after 30 days of browser usage passed without user interaction. Successful use of the storage access API resets this counter.
+- The storage access grants are phased out after 30 days of browser usage passed without user interaction. Successful use of the Storage Access API resets this counter.
+
+## Examples
+
+See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for an implementation guide, with code examples.
 
 ## API methods
 
 - {{domxref("Document.hasStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party storage.
+  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies.
 - {{domxref("Document.requestStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves if the access to first-party storage was granted, and rejects if access was denied.
+  - : Returns a {{jsxref("Promise")}} that resolves if the access to first-party cookies was granted, and rejects if access was denied.
+
+> **Note:** User interaction propagates to the promise returned by both of these methods, allowing the callers to take actions that require user interaction without requiring a second click from the user. For example, a caller could open a pop-up window from the resolved promise without triggering Firefox's pop-up blocker.
+
+### Additions to other APIs
 
-> **Note:** User interaction propagates to the Promise returned by both of these methods, allowing the callers to take actions that require user interaction without requiring a second click from the user. For example, a caller could open a pop-up window from the resolved Promise without triggering Firefox's pop-up blocker.
+- {{domxref("Permissions.query()")}}
+  - : You can call `Permissions.query()` with a value of `"storage-access"` to query whether Storage Access API permission has been granted (note, this refers to the API itself, rather than access to first-party cookies). If so, you can call `requestStorageAccess()` without a user interaction, and the promise will resolve automatically.
 
 ## Specifications
 
diff --git a/files/en-us/web/api/storage_access_api/using/index.md b/files/en-us/web/api/storage_access_api/using/index.md
index 7bb240f572447f4..e459dfbbe8e6fbb 100644
--- a/files/en-us/web/api/storage_access_api/using/index.md
+++ b/files/en-us/web/api/storage_access_api/using/index.md
@@ -6,17 +6,17 @@ page-type: guide
 
 {{DefaultAPISidebar("Storage Access API")}}
 
-The [Storage Access API](/en-US/docs/Web/API/Storage_Access_API) should be used by embedded cross-origin documents to verify whether they have access to their first-party storage and, if not, to request access. We'll briefly look at a common storage access scenario.
+The [Storage Access API](/en-US/docs/Web/API/Storage_Access_API) should be used by embedded cross-site documents to verify whether they have access to their first-party cookies and, if not, to request access. We'll briefly look at a common storage access scenario.
 
 ## Usage notes
 
-The Storage Access API is designed to allow embedded content to request access to storage that would otherwise be blocked when a user's browser is set to block all third-party cookies. Since embedded content won't know which storage policy is in use by the user, it's best to always check whether the embedded frame has storage access before attempting to read or write from storage. This is particularly true for {{domxref("Document.cookie")}} access, as browsers will often return an empty cookie jar when third-party cookies are blocked.
+The Storage Access API is designed to allow embedded content to request access to first-party cookies — most modern browsers block such access by default to protect user privacy. Since embedded content won't know what a browser's behavior is going to be in this regard, it's best to always check whether the embedded {{htmlelement("iframe")}} has storage access before attempting to read or write a cookie. This is particularly true for {{domxref("Document.cookie")}} access, as browsers will often return an empty cookie jar when third-party cookies are blocked.
 
-In the example below, we show how an embedded cross-origin {{htmlelement("iframe")}} can access a user's cookies under a storage access policy that blocks third-party cookies.
+In the example below, we show how an embedded cross-site {{htmlelement("iframe")}} can access a user's cookies under a storage access policy that blocks third-party cookies.
 
 ## Allowing a sandboxed \<iframe> to use the API
 
-First of all, if the `<iframe>` is sandboxed, the embedding website needs to add the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox) to allow storage access requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to call the API, and execute in an origin that can have cookies:
+First of all, if the `<iframe>` is sandboxed, the embedding website needs to add the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox) to allow Storage Access API requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to execute a script to call the API and execute it in an origin that can have cookies:
 
 ```html
 <iframe sandbox="allow-storage-access-by-user-activation
@@ -28,48 +28,61 @@ First of all, if the `<iframe>` is sandboxed, the embedding website needs to add
 
 ## Checking and requesting storage access
 
-Now on to the code executed inside the embedded document. Since it does not know whether it currently has access to storage, it should first call {{domxref("Document.hasStorageAccess()")}}. If that call returns `false`, we can then call {{domxref("Document.requestStorageAccess()")}}, returning the result so that then we can chain it onto the previous promise call. In the final `then`, we'll have first-party storage access.
+Now on to the code executed inside the embedded document. In this code:
+
+1. We first use feature detection (`if (document.hasStorageAccess === null) {}`) to check whether the API is supported. If not, we run our code that uses first-party cookie access anyway, and hope that it works. It should be coded defensively to deal with such eventualities anyway.
+2. If the API is supported, we call {{domxref("Permissions.query()")}} to check whether permission to use the Storage Access API has already been granted. If so, we can just call `requestStorageAccess()` without a user interaction to opt in to access to first-party cookies and it will resolve automatically, saving the user some time.
+3. If storage access has not been granted, we call {{domxref("Document.hasStorageAccess()")}}.
+4. If that call returns `true`, it means that the embedded code already has access, so we can run our code that uses first-party cookie access right away.
+5. If that call returns `false`, we can then call {{domxref("Document.requestStorageAccess()")}} in a user interaction, returning the result so that then we can chain it onto the previous promise call. In the final `then`, we'll have first-party cookie access.
 
 ```js
 function doThingsWithFirstPartyStorageAccess() {
-  // Let's access some items from the first-party cookie jar
+  // Let's access an item from the first-party cookie jar
   document.cookie = "foo=bar"; // set a cookie
-  localStorage.setItem("username", "John"); // access a localStorage entry
 }
 
-if (document.hasStorageAccess == null) {
-  // This browser doesn't support the Storage Access API, so let's just hope we have access!
+if (document.hasStorageAccess === null) {
+  // This browser doesn't support the Storage Access API
+  // so let's just hope we have access!
   doThingsWithFirstPartyStorageAccess();
 } else {
-  document.hasStorageAccess().then((hasAccess) => {
-    if (hasAccess) {
-      // We already have access, so let's do things right away!
-      doThingsWithFirstPartyStorageAccess();
+  // First use permissions.query() to check whether storage access
+  // has already been granted
+  navigator.permissions.query({ name: "storage-access" }).then((result) => {
+    if (result.state === "granted") {
+      // If so, you can just call requestStorageAccess() without a user interaction,
+      // and it will resolve automatically.
+      document
+        .requestStorageAccess()
+        .then(() => {
+          doThingsWithFirstPartyStorageAccess();
+        })
     } else {
-      // As we don't have access, we need to request it. This request has to happen within
-      // an event handler for a user interaction (e.g., clicking)
-      btn.addEventListener("click", () => {
-        document
-          .requestStorageAccess()
-          .then(() => {
-            doThingsWithFirstPartyStorageAccess();
-          })
-          .catch((err) => {
-            // If there is an error obtaining storage access.
-            console.error("Error obtaining storage access", err);
+      document.hasStorageAccess().then((hasAccess) => {
+        if (hasAccess) {
+          // We already have access, so let's do things right away!
+          doThingsWithFirstPartyStorageAccess();
+        } else {
+          // As we don't have access, we need to request it. This request has
+          // to happen within an event handler for a user interaction (e.g., clicking)
+          btn.addEventListener("click", () => {
+            document
+              .requestStorageAccess()
+              .then(() => {
+                doThingsWithFirstPartyStorageAccess();
+              })
+              .catch((err) => {
+                // If there is an error obtaining storage access.
+                console.error(`Error obtaining storage access: ${err}.
+                               Please sign in.`);
+              });
           });
+        }
       });
     }
   });
 }
 ```
 
-## Transient activation required
-
-Note that access requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}). The above code therefore needs to be run inside some kind of user gesture-based event handler, for example:
-
-```js
-btn.addEventListener("click", () => {
-  // run code here
-});
-```
+> **Note:** `requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}). They therefore need to be run inside some kind of user gesture-based event handler, as shown above
diff --git a/files/en-us/web/html/element/iframe/index.md b/files/en-us/web/html/element/iframe/index.md
index dfc83179e67a5b0..6d5115d335def8c 100644
--- a/files/en-us/web/html/element/iframe/index.md
+++ b/files/en-us/web/html/element/iframe/index.md
@@ -84,7 +84,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
     - `allow-presentation`: Allows embedders to have control over whether an iframe can start a [presentation session](/en-US/docs/Web/API/PresentationRequest).
     - `allow-same-origin`: If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs).
     - `allow-scripts`: Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
-    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Allows a document loaded in the `<iframe>` to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its client-side storage.
+    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Allows a document loaded in the `<iframe>` to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its first-party cookies.
     - `allow-top-navigation`: Lets the resource navigate the top-level browsing context (the one named `_top`).
     - `allow-top-navigation-by-user-activation`: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
     - `allow-top-navigation-to-custom-protocols`: Allows navigations to non-`http` protocols built into browser or [registered by a website](/en-US/docs/Web/API/Navigator/registerProtocolHandler/Web-based_protocol_handlers). This feature is also activated by `allow-popups` or `allow-top-navigation` keyword.
diff --git a/files/en-us/web/http/headers/permissions-policy/index.md b/files/en-us/web/http/headers/permissions-policy/index.md
index 432ceeb70c26f1e..096522ade5e7edd 100644
--- a/files/en-us/web/http/headers/permissions-policy/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/index.md
@@ -175,7 +175,7 @@ You can specify
 
 - {{httpheader("Permissions-Policy/storage-access", "storage-access")}} {{Experimental_Inline}}
 
-  - : Controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its client-side storage.
+  - : Controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its first-party cookies.
 
 - {{httpheader('Permissions-Policy/usb', 'usb')}} {{Experimental_Inline}}
 
diff --git a/files/en-us/web/http/headers/permissions-policy/storage-access/index.md b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
index 31f0c653dac4042..eeaee8e43158362 100644
--- a/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
@@ -9,9 +9,9 @@ browser-compat: http.headers.Permissions-Policy.storage-access
 
 {{HTTPSidebar}}{{SeeCompatTable}}
 
-The HTTP {{HTTPHeader("Permissions-Policy")}} header `storage-access` directive controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its client-side storage.
+The HTTP {{HTTPHeader("Permissions-Policy")}} header `storage-access` directive controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its first-party cookies.
 
-This is relevant to user agents that by default block access to client-side storage by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking).
+This is relevant to user agents that by default block access to first-party cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking).
 
 Specifically, where a defined policy blocks use of this feature, {{domxref("Document.requestStorageAccess()")}} calls will return a {{jsxref("Promise")}} that rejects with a {{domxref("DOMException")}} of type `NotAllowedError`.
 

From 7117d08d4309840681d0129c121820b0b0555e44 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Wed, 10 May 2023 11:41:30 +0100
Subject: [PATCH 03/11] updates made according to cfredric review comments

---
 .../api/document/hasstorageaccess/index.md    | 10 +--
 files/en-us/web/api/document/index.md         |  4 +-
 .../document/requeststorageaccess/index.md    |  8 +--
 .../en-us/web/api/storage_access_api/index.md | 28 +++++----
 .../web/api/storage_access_api/using/index.md | 63 ++++++++++---------
 files/en-us/web/html/element/iframe/index.md  |  2 +-
 .../http/headers/permissions-policy/index.md  |  2 +-
 .../storage-access/index.md                   |  4 +-
 8 files changed, 62 insertions(+), 59 deletions(-)

diff --git a/files/en-us/web/api/document/hasstorageaccess/index.md b/files/en-us/web/api/document/hasstorageaccess/index.md
index 65cde9c65cd4a0e..5f57390dd140342 100644
--- a/files/en-us/web/api/document/hasstorageaccess/index.md
+++ b/files/en-us/web/api/document/hasstorageaccess/index.md
@@ -8,7 +8,7 @@ browser-compat: api.Document.hasStorageAccess
 
 {{APIRef("Storage Access API")}}
 
-The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies.
+The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies.
 
 This method is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
 
@@ -24,12 +24,12 @@ None.
 
 ### Return value
 
-A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies — `true` if it does, and `false` if not.
+A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies — `true` if it does, and `false` if not.
 
-The result returned by this method can be inaccurate in a couple of specific circumstances:
+The result returned by this method can be inaccurate in a couple of circumstances:
 
-1. The user may have browser settings active that block cookies entirely — in this case `true` may be returned even though first-party cookies are still inaccessible. To handle such a situation, you are advised to gracefully handle any errors resulting in cookie values being unretrievable, for example by telling the user that unfortunately access to their personalized settings was blocked, and inviting them to sign-in again to make use of them.
-2. The browser might not block third-party cookies by default — in this case `false` may be returned even though first-party cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). This situation will probably only arise in older browsers that don't support `hasStorageAccess()` anyway, so can be handled using feature detection.
+1. The user may have browser settings active that block cookies entirely — in this case `true` may be returned even though cookies are still inaccessible. To handle such a situation, you are advised to gracefully handle any errors resulting in cookie values being unretrievable, for example by telling the user that unfortunately access to their personalized settings was blocked, and inviting them to sign-in again to make use of them.
+2. The browser might not block third-party cookie access by default — in this case `false` may be returned even though cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). This situation is not too hard to handle, as a `Document.requestStorageAccess()` call will resolve successfully when third-party cookies are not blocked, and your code can continue to run.
 
 > **Note:** If the promise gets resolved and a user gesture event was being processed when the function was originally called, the resolve handler will run as if a user gesture was being processed, so it will be able to call APIs that require user activation.
 
diff --git a/files/en-us/web/api/document/index.md b/files/en-us/web/api/document/index.md
index 94652dd7ec23a0c..4d953fb5cb5f0ba 100644
--- a/files/en-us/web/api/document/index.md
+++ b/files/en-us/web/api/document/index.md
@@ -241,7 +241,7 @@ _This interface also inherits from the {{DOMxRef("Node")}} and {{DOMxRef("EventT
 - {{DOMxRef("Document.getSelection()")}}
   - : Returns a {{DOMxRef('Selection')}} object representing the range of text selected by the user, or the current position of the caret.
 - {{DOMxRef("Document.hasStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies.
+  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies.
 - {{DOMxRef("Document.importNode()")}}
   - : Returns a clone of a node from an external document.
 - {{DOMxRef("Document.prepend()")}}
@@ -257,7 +257,7 @@ _This interface also inherits from the {{DOMxRef("Node")}} and {{DOMxRef("EventT
 - {{DOMxRef("Document.replaceChildren()")}}
   - : Replaces the existing children of a document with a specified new set of children.
 - {{DOMxRef("Document.requestStorageAccess()")}}
-  - : Allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to first-party cookies, in cases where user agents by default block access to first-party cookies by sites loaded in a third-party context to improve privacy.
+  - : Allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to cookies, in cases where user agents by default block access to cookies by sites loaded in a third-party context to improve privacy.
 - {{domxref("Document.startViewTransition()")}} {{Experimental_Inline}}
   - : Starts a new {{domxref("View Transitions API", "view transition", "", "nocode")}} and returns a {{domxref("ViewTransition")}} object to represent it.
 - {{DOMxRef("Document.mozSetImageElement()")}} {{Non-standard_Inline}}
diff --git a/files/en-us/web/api/document/requeststorageaccess/index.md b/files/en-us/web/api/document/requeststorageaccess/index.md
index 787bcf394590f70..466f8ac5de3386b 100644
--- a/files/en-us/web/api/document/requeststorageaccess/index.md
+++ b/files/en-us/web/api/document/requeststorageaccess/index.md
@@ -8,9 +8,9 @@ browser-compat: api.Document.requestStorageAccess
 
 {{APIRef("DOM")}}
 
-The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to its first-party cookies.
+The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to cookies.
 
-This is relevant to user agents that by default block access to first-party cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
+This is relevant to user agents that by default block access to cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
 
 > **Note:** Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. In addition, the document must pass additional browser-specific checks such as allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
 
@@ -26,9 +26,9 @@ None.
 
 ### Return value
 
-A {{jsxref("Promise")}} that fulfills with `undefined` if the access to first-party cookies was granted, and rejects if access was denied.
+A {{jsxref("Promise")}} that fulfills with `undefined` if the access to cookies was granted, and rejects if access was denied.
 
-`requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}). They therefore need to be run inside some kind of user gesture-based event handler. The user gesture behavior depends on the state of the promise:
+`requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}), or unless permission was already granted previously. If permission was not previously granted, they need to be run inside some kind of user gesture-based event handler. The user gesture behavior depends on the state of the promise:
 
 - If the promise resolves (i.e. if permission was granted), then the user gesture has not been consumed, so the script can subsequently call APIs that require a user gesture.
 - If the promise rejects (i.e. permission was not granted), then the user gesture has been consumed, so the script can't do anything that requires a gesture. This is an intentional protection against abuse — it prevents scripts from calling `requestStorageAccess()` in a loop until the user accepts the prompt.
diff --git a/files/en-us/web/api/storage_access_api/index.md b/files/en-us/web/api/storage_access_api/index.md
index 1e8e39b5c3fb891..85beb2508d30fc5 100644
--- a/files/en-us/web/api/storage_access_api/index.md
+++ b/files/en-us/web/api/storage_access_api/index.md
@@ -9,27 +9,27 @@ browser-compat:
 
 {{DefaultAPISidebar("Storage Access API")}}
 
-The Storage Access API provides a way for cross-site content loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to gain access to cookies that it would normally only have access to in a first-party context (i.e. when loaded directly in a browser tab; we refer to these as an origin's _first-party_ cookies).
+The Storage Access API provides a way for cross-site content loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to gain access to cookies that it would normally only have access to in a first-party context (i.e. when loaded directly in a browser tab).
 
-This is relevant to user agents that by default block access to firsty-party cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking). There are legitimate uses of first-party cookie access by third-party content that we still want to enable, even with these default restrictions in place. Examples include SSO with federated IdPs, or persisting user details across different sites such as location data or viewing preferences.
+This is relevant to user agents that by default block access to cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking). There are legitimate uses for cookie access by third-party content that we still want to enable, even with these default restrictions in place. Examples include SSO with federated IdPs, or persisting user details such as location data or viewing preferences across different sites.
 
-The API provides methods that allow embedded resources to check whether they currently have access to their first-party cookies, and to request access to their first-party cookies from the user agent.
+The API provides methods that allow embedded resources to check whether they currently have access to cookies, and to request access to cookies from the user agent.
 
 > **Note:** The _Storage Access API_ name may seem like somewhat of a misnomer, given that it only provides access to cookies, and not other client-side storage mechanisms such as {{domxref("Web_Storage_API", "Web Storage", "", "nocode")}} or {{domxref("IndexedDB_API", "IndexedDB", "", "nocode")}}. The name has been kept generic because it may provide access to other forms of client-side storage in the future.
 
 ## Concepts and usage
 
-Most browsers implement a number of storage access features and policies that restrict access to cookies for embedded, cross-site resources. These range from giving embedded resources under each top-level origin a unique cookie storage space (see for example [Cookies Having Independent Partitioned State (CHIPS)](/en-US/docs/Web/Privacy/Partitioned_cookies)) to outright blocking of cookie access when resources are loaded in a third-party context.
+Most browsers implement a number of storage access features and policies that restrict access to cookies by embedded, cross-site resources. These range from giving embedded resources under each top-level origin a unique cookie storage space, also known as _partitioned cookies_ (see for example [Cookies Having Independent Partitioned State (CHIPS)](/en-US/docs/Web/Privacy/Partitioned_cookies) or [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-androids-new-privacy-feature-total-cookie-protection-stops-companies-from-keeping-tabs-on-your-moves/)) to outright blocking of cookie access when resources are loaded in a third-party context.
 
-The semantics around third-party cookie blocking features/policies differ from browser to browser, but the core functionality is similar: cross-site resources embedded in a third-party context are not given access to the same cookies that they would have access to when loaded in a first-party context. This is done with good intent — browser vendors want to take steps to better protect their user's privacy and security, for example leaving them less open to having their activity tracked across different sites, and less vulnerable to exploits such as cross-site request forgery ({{glossary("CSRF")}}).
+The semantics around cookie blocking features/policies differ from browser to browser, but the core functionality is similar: cross-site resources embedded in a third-party context are not given access to the same cookies that they would have access to when loaded in a first-party context. This is done with good intent — browser vendors want to take steps to better protect their user's privacy and security, for example leaving them less open to having their activity tracked across different sites, and less vulnerable to exploits such as cross-site request forgery ({{glossary("CSRF")}}).
 
-However, there are legitimate uses for embedded cross-site content accessing first-party cookies, which the above features/policies are known to break. As an example, federated logins often require access to authentication cookies stored in first-party storage, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. As a result, site owners often encourage users to add their site as an exception or to disable such policies entirely. Users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
+However, there are legitimate uses for embedded cross-site content accessing cookies, which the above features/policies are known to break. As an example, federated logins often require access to authentication cookies, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. As a result, site owners often encourage users to add their site as an exception or to disable such policies entirely. Users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
 
-The Storage Access API is intended to solve this problem; embedded cross-site content can request unrestricted access to its first-party cookies on a frame-by-frame basis, for a particular top-level embedding site, via the {{domxref("Document.requestStorageAccess()")}} method. It can also check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
+The Storage Access API is intended to solve this problem; embedded cross-site content can request unrestricted access to cookies on a frame-by-frame basis, for a particular top-level embedding site, via the {{domxref("Document.requestStorageAccess()")}} method. It can also check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
 
 ## How it works
 
-As explained above, modern browsers implement various features and policies to restrict or block access to first-party cookies by embedded content. Such content that has a legitimate need for first-party cookie access can get around this problem as follows:
+As explained above, modern browsers implement various features and policies to restrict or block access to cookies by embedded content. Such content that has a legitimate need for cookie access can get around this problem using the Storage Access API as follows:
 
 1. It can call the {{domxref("Document.hasStorageAccess()")}} method to check whether it has the access it needs already.
 2. If not, it can request access via the {{domxref("Document.requestStorageAccess()")}} method.
@@ -47,6 +47,8 @@ As explained above, modern browsers implement various features and policies to r
 
 > **Note:** The only exception to the "blocked by default" behavior is when a content embed makes a successful `requestStorageAccess()`, but then performs a same-origin navigation (for example reloading itself). In such cases, the storage access is carried over from the previous navigation.
 
+> **Note:** In cases where a top-level site has its cookies partitioned (for example via [CHIPS](/en-US/docs/Web/Privacy/Partitioned_cookies) or [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-androids-new-privacy-feature-total-cookie-protection-stops-companies-from-keeping-tabs-on-your-moves/)), the Storage Access API isn't required, as sharing the cookies by default has no privacy risk.
+
 ## Security measures
 
 There are a number of different related security measures that could cause a {{domxref("Document.requestStorageAccess()")}} call to fail. Check the below list if you are having trouble getting a request to work:
@@ -80,8 +82,8 @@ Although the API surface is the same, websites using the Storage Access API shou
 
 Design properties unique to Firefox are summarized here:
 
-- If the embedded origin `tracker.example` has already obtained first-party cookie access on the top-level origin `foo.example`, and the user visits a page from `foo.example` embedding a page from `tracker.example` again in less than 30 days, the embedded origin will have cookie access immediately when loading.
-- If an embedded page from `tracker.example` has previously successfully obtained cookie access on top-level origin `foo.example`, all embedded subresources from `tracker.example` on `foo.example` (e.g. scripts, images, stylesheets, etc.) will load with access to their first-party storage, which means they may send Cookie headers and honor incoming {{httpheader("Set-Cookie")}} headers.
+- If the embedded origin `tracker.example` has already obtained cookie access on the top-level origin `foo.example`, and the user visits a page from `foo.example` embedding a page from `tracker.example` again in less than 30 days, the embedded origin will have cookie access immediately when loading.
+- If an embedded page from `tracker.example` has previously successfully obtained cookie access on top-level origin `foo.example`, all embedded subresources from `tracker.example` on `foo.example` (e.g. scripts, images, stylesheets, etc.) will load with access to their cookies, which means they may send Cookie headers and honor incoming {{httpheader("Set-Cookie")}} headers.
 - In Firefox, when the promise returned from `requestStorageAccess()` is resolved, the embedded page will gain access to its entire first-party storage, not just cookies. This includes access to APIs such as [Web Storage](/en-US/docs/Web/API/Web_Storage_API), [IndexedDB](/en-US/docs/Web/API/IndexedDB_API), [DOM Cache](/en-US/docs/Web/API/Cache), and so on.
 - The storage access grants are phased out after 30 calendar days have passed.
 
@@ -98,16 +100,16 @@ See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using)
 ## API methods
 
 - {{domxref("Document.hasStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to its first-party cookies.
+  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies.
 - {{domxref("Document.requestStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves if the access to first-party cookies was granted, and rejects if access was denied.
+  - : Returns a {{jsxref("Promise")}} that resolves if the access to cookies was granted, and rejects if access was denied.
 
 > **Note:** User interaction propagates to the promise returned by both of these methods, allowing the callers to take actions that require user interaction without requiring a second click from the user. For example, a caller could open a pop-up window from the resolved promise without triggering Firefox's pop-up blocker.
 
 ### Additions to other APIs
 
 - {{domxref("Permissions.query()")}}
-  - : You can call `Permissions.query()` with a value of `"storage-access"` to query whether Storage Access API permission has been granted (note, this refers to the API itself, rather than access to first-party cookies). If so, you can call `requestStorageAccess()` without a user interaction, and the promise will resolve automatically.
+  - : You can call `Permissions.query()` with a value of `"storage-access"` to query whether cookie access has been granted in general, i.e. to another same-site embed. If so, you can call `requestStorageAccess()` without a user interaction, and the promise will resolve automatically.
 
 ## Specifications
 
diff --git a/files/en-us/web/api/storage_access_api/using/index.md b/files/en-us/web/api/storage_access_api/using/index.md
index e459dfbbe8e6fbb..1baaa53f466ef65 100644
--- a/files/en-us/web/api/storage_access_api/using/index.md
+++ b/files/en-us/web/api/storage_access_api/using/index.md
@@ -6,13 +6,13 @@ page-type: guide
 
 {{DefaultAPISidebar("Storage Access API")}}
 
-The [Storage Access API](/en-US/docs/Web/API/Storage_Access_API) should be used by embedded cross-site documents to verify whether they have access to their first-party cookies and, if not, to request access. We'll briefly look at a common storage access scenario.
+The [Storage Access API](/en-US/docs/Web/API/Storage_Access_API) can be used by embedded cross-site documents to verify whether they have access to cookies and, if not, to request access. We'll briefly look at a common storage access scenario.
 
 ## Usage notes
 
-The Storage Access API is designed to allow embedded content to request access to first-party cookies — most modern browsers block such access by default to protect user privacy. Since embedded content won't know what a browser's behavior is going to be in this regard, it's best to always check whether the embedded {{htmlelement("iframe")}} has storage access before attempting to read or write a cookie. This is particularly true for {{domxref("Document.cookie")}} access, as browsers will often return an empty cookie jar when third-party cookies are blocked.
+The Storage Access API is designed to allow embedded content to request access to cookies — most modern browsers block such access by default to protect user privacy. Since embedded content won't know what a browser's behavior is going to be in this regard, it's best to always check whether the embedded {{htmlelement("iframe")}} has storage access before attempting to read or write a cookie. This is particularly true for {{domxref("Document.cookie")}} access, as browsers will often return an empty cookie jar when third-party cookie access is blocked.
 
-In the example below, we show how an embedded cross-site {{htmlelement("iframe")}} can access a user's cookies under a storage access policy that blocks third-party cookies.
+In the example below, we show how an embedded cross-site {{htmlelement("iframe")}} can access a user's cookies under a storage access policy that blocks third-party cookie access.
 
 ## Allowing a sandboxed \<iframe> to use the API
 
@@ -30,47 +30,46 @@ First of all, if the `<iframe>` is sandboxed, the embedding website needs to add
 
 Now on to the code executed inside the embedded document. In this code:
 
-1. We first use feature detection (`if (document.hasStorageAccess === null) {}`) to check whether the API is supported. If not, we run our code that uses first-party cookie access anyway, and hope that it works. It should be coded defensively to deal with such eventualities anyway.
-2. If the API is supported, we call {{domxref("Permissions.query()")}} to check whether permission to use the Storage Access API has already been granted. If so, we can just call `requestStorageAccess()` without a user interaction to opt in to access to first-party cookies and it will resolve automatically, saving the user some time.
-3. If storage access has not been granted, we call {{domxref("Document.hasStorageAccess()")}}.
-4. If that call returns `true`, it means that the embedded code already has access, so we can run our code that uses first-party cookie access right away.
-5. If that call returns `false`, we can then call {{domxref("Document.requestStorageAccess()")}} in a user interaction, returning the result so that then we can chain it onto the previous promise call. In the final `then`, we'll have first-party cookie access.
+1. We first use feature detection (`if (document.hasStorageAccess === null) {}`) to check whether the API is supported. If not, we run our code that accesses cookies anyway, and hope that it works. It should be coded defensively to deal with such eventualities anyway.
+2. If the API is supported, we call `document.hasStorageAccess()`.
+   3. If that call returns `true`, it means this {{domxref("iframe")}} has already obtained access, and we can run our code that accesses cookies right away.
+   4. If that call returns `false`, we then call {{domxref("Permissions.query()")}} to check whether permission to access cookies has already been granted (i.e. to another same-site embed).
+      5. If the permission state is `"granted"`, we immediately call `document.requestStorageAccess()`. This call will automatically resolve, saving the user some time, then we can run our code that accesses cookies.
+      6. If the permission state is `"prompt"`, we call `document.requestStorageAccess()` after a user interaction. This call may trigger a prompt to the user. If this call resolves, then we can run our code that accesses cookies.
+      7. If the permission state is `"denied"`, then the user has denied our requests to access cookies, so our code cannot make use of them.
 
 ```js
-function doThingsWithFirstPartyStorageAccess() {
-  // Let's access an item from the first-party cookie jar
+function doThingsWithCookies() {
   document.cookie = "foo=bar"; // set a cookie
 }
 
 if (document.hasStorageAccess === null) {
   // This browser doesn't support the Storage Access API
   // so let's just hope we have access!
-  doThingsWithFirstPartyStorageAccess();
+  doThingsWithCookies();
 } else {
-  // First use permissions.query() to check whether storage access
-  // has already been granted
-  navigator.permissions.query({ name: "storage-access" }).then((result) => {
-    if (result.state === "granted") {
-      // If so, you can just call requestStorageAccess() without a user interaction,
-      // and it will resolve automatically.
-      document
-        .requestStorageAccess()
-        .then(() => {
-          doThingsWithFirstPartyStorageAccess();
-        })
+  document.hasStorageAccess().then((hasAccess) => {
+    if (hasAccess) {
+      // We have access to cookies, so let's go
+      doThingsWithCookies();
     } else {
-      document.hasStorageAccess().then((hasAccess) => {
-        if (hasAccess) {
-          // We already have access, so let's do things right away!
-          doThingsWithFirstPartyStorageAccess();
-        } else {
-          // As we don't have access, we need to request it. This request has
-          // to happen within an event handler for a user interaction (e.g., clicking)
+      // Check whether cookie access has been granted to another same-site embed
+      navigator.permissions.query({ name: "storage-access" }).then((result) => {
+        if (result.state === "granted") {
+          // If so, you can just call requestStorageAccess() without a user interaction,
+          // and it will resolve automatically.
+          document
+            .requestStorageAccess()
+            .then(() => {
+              doThingsWithCookies();
+            })
+        } else if (result.state === "prompt") {
+          // Need to call requestStorageAccess() after a user interaction
           btn.addEventListener("click", () => {
             document
               .requestStorageAccess()
               .then(() => {
-                doThingsWithFirstPartyStorageAccess();
+                doThingsWithCookies();
               })
               .catch((err) => {
                 // If there is an error obtaining storage access.
@@ -78,6 +77,8 @@ if (document.hasStorageAccess === null) {
                                Please sign in.`);
               });
           });
+        } else if (result.state === "denied") {
+          // User has denied cookie access, so we'll need to do something else
         }
       });
     }
@@ -85,4 +86,4 @@ if (document.hasStorageAccess === null) {
 }
 ```
 
-> **Note:** `requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}). They therefore need to be run inside some kind of user gesture-based event handler, as shown above
+> **Note:** `requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}), or if permission was already granted previously. If permission was not previously granted, they need to be run inside some kind of user gesture-based event handler, as shown above.
diff --git a/files/en-us/web/html/element/iframe/index.md b/files/en-us/web/html/element/iframe/index.md
index 6d5115d335def8c..a34490cbbd85c61 100644
--- a/files/en-us/web/html/element/iframe/index.md
+++ b/files/en-us/web/html/element/iframe/index.md
@@ -84,7 +84,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
     - `allow-presentation`: Allows embedders to have control over whether an iframe can start a [presentation session](/en-US/docs/Web/API/PresentationRequest).
     - `allow-same-origin`: If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs).
     - `allow-scripts`: Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
-    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Allows a document loaded in the `<iframe>` to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its first-party cookies.
+    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Allows a document loaded in the `<iframe>` to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to cookies.
     - `allow-top-navigation`: Lets the resource navigate the top-level browsing context (the one named `_top`).
     - `allow-top-navigation-by-user-activation`: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
     - `allow-top-navigation-to-custom-protocols`: Allows navigations to non-`http` protocols built into browser or [registered by a website](/en-US/docs/Web/API/Navigator/registerProtocolHandler/Web-based_protocol_handlers). This feature is also activated by `allow-popups` or `allow-top-navigation` keyword.
diff --git a/files/en-us/web/http/headers/permissions-policy/index.md b/files/en-us/web/http/headers/permissions-policy/index.md
index 096522ade5e7edd..b483f1e280153fb 100644
--- a/files/en-us/web/http/headers/permissions-policy/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/index.md
@@ -175,7 +175,7 @@ You can specify
 
 - {{httpheader("Permissions-Policy/storage-access", "storage-access")}} {{Experimental_Inline}}
 
-  - : Controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its first-party cookies.
+  - : Controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to cookies.
 
 - {{httpheader('Permissions-Policy/usb', 'usb')}} {{Experimental_Inline}}
 
diff --git a/files/en-us/web/http/headers/permissions-policy/storage-access/index.md b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
index eeaee8e43158362..16a77e2e067fb78 100644
--- a/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
@@ -9,9 +9,9 @@ browser-compat: http.headers.Permissions-Policy.storage-access
 
 {{HTTPSidebar}}{{SeeCompatTable}}
 
-The HTTP {{HTTPHeader("Permissions-Policy")}} header `storage-access` directive controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to its first-party cookies.
+The HTTP {{HTTPHeader("Permissions-Policy")}} header `storage-access` directive controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to cookies.
 
-This is relevant to user agents that by default block access to first-party cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking).
+This is relevant to user agents that by default block access to cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking).
 
 Specifically, where a defined policy blocks use of this feature, {{domxref("Document.requestStorageAccess()")}} calls will return a {{jsxref("Promise")}} that rejects with a {{domxref("DOMException")}} of type `NotAllowedError`.
 

From 7ef34dfde0aa2c9b061c58628bf4ce2997c0d0c3 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Mon, 15 May 2023 15:55:13 +0100
Subject: [PATCH 04/11] 2nd round of fixes for cfredric comments

---
 .../api/document/hasstorageaccess/index.md    |  8 +-
 files/en-us/web/api/document/index.md         |  4 +-
 .../document/requeststorageaccess/index.md    |  8 +-
 .../en-us/web/api/storage_access_api/index.md | 52 ++++++------
 .../web/api/storage_access_api/using/index.md | 82 +++++++++----------
 files/en-us/web/html/element/iframe/index.md  |  2 +-
 .../http/headers/permissions-policy/index.md  |  2 +-
 .../storage-access/index.md                   |  4 +-
 8 files changed, 81 insertions(+), 81 deletions(-)

diff --git a/files/en-us/web/api/document/hasstorageaccess/index.md b/files/en-us/web/api/document/hasstorageaccess/index.md
index 5f57390dd140342..40ce9898fbd47cf 100644
--- a/files/en-us/web/api/document/hasstorageaccess/index.md
+++ b/files/en-us/web/api/document/hasstorageaccess/index.md
@@ -8,7 +8,7 @@ browser-compat: api.Document.hasStorageAccess
 
 {{APIRef("Storage Access API")}}
 
-The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies.
+The **`hasStorageAccess()`** method of the {{domxref("Document")}} interface returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to unpartitioned cookies.
 
 This method is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
 
@@ -24,12 +24,12 @@ None.
 
 ### Return value
 
-A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies — `true` if it does, and `false` if not.
+A {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to unpartitioned cookies — `true` if it does, and `false` if not.
 
 The result returned by this method can be inaccurate in a couple of circumstances:
 
-1. The user may have browser settings active that block cookies entirely — in this case `true` may be returned even though cookies are still inaccessible. To handle such a situation, you are advised to gracefully handle any errors resulting in cookie values being unretrievable, for example by telling the user that unfortunately access to their personalized settings was blocked, and inviting them to sign-in again to make use of them.
-2. The browser might not block third-party cookie access by default — in this case `false` may be returned even though cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). This situation is not too hard to handle, as a `Document.requestStorageAccess()` call will resolve successfully when third-party cookies are not blocked, and your code can continue to run.
+1. The user may have browser settings active that block unpartitioned cookies entirely — in this case `true` may be returned even though unpartitioned cookies are still inaccessible. To handle such a situation, you are advised to gracefully handle any errors resulting in cookie values being unretrievable, for example by telling the user that unfortunately access to their personalized settings was blocked, and inviting them to sign in again to make use of them.
+2. The browser might not block third-party cookie access by default — in this case `false` may be returned even though unpartitioned cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). To get around this issue, you could query {{domxref("Document.cookie")}} to find out whether your cookies are accessible, and call {{domxref("Document.requestStorageAccess()")}} if they are not.
 
 > **Note:** If the promise gets resolved and a user gesture event was being processed when the function was originally called, the resolve handler will run as if a user gesture was being processed, so it will be able to call APIs that require user activation.
 
diff --git a/files/en-us/web/api/document/index.md b/files/en-us/web/api/document/index.md
index 4d953fb5cb5f0ba..f6f41acbadbcfb0 100644
--- a/files/en-us/web/api/document/index.md
+++ b/files/en-us/web/api/document/index.md
@@ -241,7 +241,7 @@ _This interface also inherits from the {{DOMxRef("Node")}} and {{DOMxRef("EventT
 - {{DOMxRef("Document.getSelection()")}}
   - : Returns a {{DOMxRef('Selection')}} object representing the range of text selected by the user, or the current position of the caret.
 - {{DOMxRef("Document.hasStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies.
+  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to unpartitioned cookies.
 - {{DOMxRef("Document.importNode()")}}
   - : Returns a clone of a node from an external document.
 - {{DOMxRef("Document.prepend()")}}
@@ -257,7 +257,7 @@ _This interface also inherits from the {{DOMxRef("Node")}} and {{DOMxRef("EventT
 - {{DOMxRef("Document.replaceChildren()")}}
   - : Replaces the existing children of a document with a specified new set of children.
 - {{DOMxRef("Document.requestStorageAccess()")}}
-  - : Allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to cookies, in cases where user agents by default block access to cookies by sites loaded in a third-party context to improve privacy.
+  - : Allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to unpartitioned cookies, in cases where user agents by default block access to unpartitioned cookies by sites loaded in a third-party context to improve privacy.
 - {{domxref("Document.startViewTransition()")}} {{Experimental_Inline}}
   - : Starts a new {{domxref("View Transitions API", "view transition", "", "nocode")}} and returns a {{domxref("ViewTransition")}} object to represent it.
 - {{DOMxRef("Document.mozSetImageElement()")}} {{Non-standard_Inline}}
diff --git a/files/en-us/web/api/document/requeststorageaccess/index.md b/files/en-us/web/api/document/requeststorageaccess/index.md
index 466f8ac5de3386b..2532e2643b6b7a1 100644
--- a/files/en-us/web/api/document/requeststorageaccess/index.md
+++ b/files/en-us/web/api/document/requeststorageaccess/index.md
@@ -8,9 +8,9 @@ browser-compat: api.Document.requestStorageAccess
 
 {{APIRef("DOM")}}
 
-The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to cookies.
+The **`requestStorageAccess()`** method of the {{domxref("Document")}} interface allows a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to request access to unpartitioned cookies.
 
-This is relevant to user agents that by default block access to cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
+This is relevant to user agents that by default block access to unpartitioned cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking), and is part of the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
 
 > **Note:** Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. In addition, the document must pass additional browser-specific checks such as allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
 
@@ -26,12 +26,12 @@ None.
 
 ### Return value
 
-A {{jsxref("Promise")}} that fulfills with `undefined` if the access to cookies was granted, and rejects if access was denied.
+A {{jsxref("Promise")}} that fulfills with `undefined` if the access to unpartitioned cookies was granted, and rejects if access was denied.
 
 `requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}), or unless permission was already granted previously. If permission was not previously granted, they need to be run inside some kind of user gesture-based event handler. The user gesture behavior depends on the state of the promise:
 
 - If the promise resolves (i.e. if permission was granted), then the user gesture has not been consumed, so the script can subsequently call APIs that require a user gesture.
-- If the promise rejects (i.e. permission was not granted), then the user gesture has been consumed, so the script can't do anything that requires a gesture. This is an intentional protection against abuse — it prevents scripts from calling `requestStorageAccess()` in a loop until the user accepts the prompt.
+- If the promise rejects (i.e. permission was not granted), then the user gesture has been consumed, so the script can't do anything that requires a gesture. This is intentional protection against abuse — it prevents scripts from calling `requestStorageAccess()` in a loop until the user accepts the prompt.
 
 ### Exceptions
 
diff --git a/files/en-us/web/api/storage_access_api/index.md b/files/en-us/web/api/storage_access_api/index.md
index 85beb2508d30fc5..20aa3bf0d937e98 100644
--- a/files/en-us/web/api/storage_access_api/index.md
+++ b/files/en-us/web/api/storage_access_api/index.md
@@ -9,40 +9,42 @@ browser-compat:
 
 {{DefaultAPISidebar("Storage Access API")}}
 
-The Storage Access API provides a way for cross-site content loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to gain access to cookies that it would normally only have access to in a first-party context (i.e. when loaded directly in a browser tab).
+The Storage Access API provides a way for cross-site content loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) to gain access to _unpartitioned cookies_ that it would normally only have access to in a first-party context (i.e. when loaded directly in a browser tab).
 
-This is relevant to user agents that by default block access to cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking). There are legitimate uses for cookie access by third-party content that we still want to enable, even with these default restrictions in place. Examples include SSO with federated IdPs, or persisting user details such as location data or viewing preferences across different sites.
+> **Note:** When we say _unpartitioned cookies_, we are talking about cookies stored in the traditional way they have historically been stored since the early web — all cookies set on the same site are stored in the same cookie jar. This is in contrast to _partitioned cookies_, where embedded resources under each top-level origin are given a unique cookie storage space (see for example [Cookies Having Independent Partitioned State (CHIPS)](/en-US/docs/Web/Privacy/Partitioned_cookies)).
 
-The API provides methods that allow embedded resources to check whether they currently have access to cookies, and to request access to cookies from the user agent.
+The Storage Access API is relevant to user agents that by default block access to unpartitioned cookies by sites loaded in a third-party context to improve privacy (for example, to prevent tracking). There are legitimate uses for unpartitioned cookie access by third-party content that we still want to enable, even with these default restrictions in place. Examples include SSO with federated IdPs, or persisting user details such as location data or viewing preferences across different sites.
+
+The API provides methods that allow embedded resources to check whether they currently have access to unpartitioned cookies and, if not, to request access from the user agent.
 
 > **Note:** The _Storage Access API_ name may seem like somewhat of a misnomer, given that it only provides access to cookies, and not other client-side storage mechanisms such as {{domxref("Web_Storage_API", "Web Storage", "", "nocode")}} or {{domxref("IndexedDB_API", "IndexedDB", "", "nocode")}}. The name has been kept generic because it may provide access to other forms of client-side storage in the future.
 
 ## Concepts and usage
 
-Most browsers implement a number of storage access features and policies that restrict access to cookies by embedded, cross-site resources. These range from giving embedded resources under each top-level origin a unique cookie storage space, also known as _partitioned cookies_ (see for example [Cookies Having Independent Partitioned State (CHIPS)](/en-US/docs/Web/Privacy/Partitioned_cookies) or [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-androids-new-privacy-feature-total-cookie-protection-stops-companies-from-keeping-tabs-on-your-moves/)) to outright blocking of cookie access when resources are loaded in a third-party context.
+Browsers implement several storage access features and policies that restrict access to unpartitioned cookies by embedded, cross-site resources. These range from giving embedded resources under each top-level origin a unique cookie storage space (_partitioned cookies_), to outright blocking of cookie access when resources are loaded in a third-party context.
 
-The semantics around cookie blocking features/policies differ from browser to browser, but the core functionality is similar: cross-site resources embedded in a third-party context are not given access to the same cookies that they would have access to when loaded in a first-party context. This is done with good intent — browser vendors want to take steps to better protect their user's privacy and security, for example leaving them less open to having their activity tracked across different sites, and less vulnerable to exploits such as cross-site request forgery ({{glossary("CSRF")}}).
+The semantics around unpartitioned cookie blocking features/policies differ from browser to browser, but the core functionality is similar: cross-site resources embedded in a third-party context are not given access to the same cookies that they would have access to when loaded in a first-party context. This is done with good intent — browser vendors want to take steps to better protect their user's privacy and security, for example leaving them less open to having their activity tracked across different sites, and less vulnerable to exploits such as cross-site request forgery ({{glossary("CSRF")}}).
 
-However, there are legitimate uses for embedded cross-site content accessing cookies, which the above features/policies are known to break. As an example, federated logins often require access to authentication cookies, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. As a result, site owners often encourage users to add their site as an exception or to disable such policies entirely. Users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
+However, there are legitimate uses for embedded cross-site content accessing unpartitioned cookies, which the above features/policies are known to break. As an example, federated logins often require access to authentication cookies, and will require the user to sign in on each site separately (or completely break) if those cookies are not available. As a result, site owners often encourage users to add their site as an exception or to disable such policies entirely. Users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
 
-The Storage Access API is intended to solve this problem; embedded cross-site content can request unrestricted access to cookies on a frame-by-frame basis, for a particular top-level embedding site, via the {{domxref("Document.requestStorageAccess()")}} method. It can also check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
+The Storage Access API is intended to solve this problem; embedded cross-site content can request unrestricted access to unpartitioned cookies on a frame-by-frame basis, for a particular top-level embedding site, via the {{domxref("Document.requestStorageAccess()")}} method. It can also check whether it already has access via the {{domxref("Document.hasStorageAccess()")}} method.
 
 ## How it works
 
-As explained above, modern browsers implement various features and policies to restrict or block access to cookies by embedded content. Such content that has a legitimate need for cookie access can get around this problem using the Storage Access API as follows:
+As explained above, modern browsers implement various features and policies to restrict or block access to unpartitioned cookies by embedded content. Such content that has a legitimate need for cookie access can get around this problem using the Storage Access API as follows:
 
 1. It can call the {{domxref("Document.hasStorageAccess()")}} method to check whether it has the access it needs already.
 2. If not, it can request access via the {{domxref("Document.requestStorageAccess()")}} method.
-3. Depending on the browser, the user will be asked whether to grant access to the requesting embed in slightly differing ways.
-   - Safari shows prompts for all embedded tracking content that has not previously received storage access.
-   - Firefox only prompts users after a tracking origin has requested storage access on more than a threshold number of sites.
+3. Depending on the browser, the user will be asked whether to grant access to the requesting embed in slightly different ways.
+   - Safari shows prompts for all embedded content that has not previously received storage access.
+   - Firefox only prompts users after an origin has requested storage access on more than a threshold number of sites.
    - At the time of writing, Chrome doesn't prompt the user. Instead, it only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href="https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/">first-party set</a>. This behavior will change as the implementation is developed further.
 4. Access is granted or denied based on whether the content meets all the security requirements (see [Security measures](#security_measures), below). The {{jsxref("Promise")}}-based nature of `requestStorageAccess()` allows you to run code to handle success and failure cases.
-   - Modern spec behavior dictates that access is granted **per-frame** — every separate content embed has its cookie access blocked by default, and needs to call `requestStorageAccess()` to opt in to access. If a content embed has received access, and same-site embeds then call `requestStorageAccess()`, their promises will fulfill automatically. But they still need to opt in.
-   - In older versions of the spec, the access was **per-page**. As soon as one embed received cookie access via `requestStorageAccess()`, all other same-site embeds would automatically receive access. This was not desirable behavior from a security standpoint — for example if `shop.example.com` embedded `locator.users.com` to allow users to use their location info while shopping, and `locator.users.com` called `requestStorageAccess()`, `shop.example.com` and any other sites it embeds would be able to access its cookies, but also access cookies from `private.users.com`, which is not intended to be embedded. [Read more about the motivations](https://github.com/privacycg/storage-access/issues/113) behind this change.
+   - Modern spec behavior dictates that access is granted **per-frame** — every separate content embed has its unpartitioned cookie access blocked by default, and needs to call `requestStorageAccess()` to opt-in to access. If a content embed has received access, and same-site embeds then call `requestStorageAccess()`, their promises will fulfill automatically. But they still need to opt-in.
+   - In older versions of the spec, the access was **per-page**. As soon as one embed received unpartitioned cookie access via `requestStorageAccess()`, all other same-site embeds would automatically receive access. This was not desirable behavior from a security standpoint — for example, if `shop.example.com` embedded `locator.users.com` to allow users to use their location info while shopping, and `locator.users.com` called `requestStorageAccess()`, `shop.example.com` and any other sites it embeds would be able to access its cookies, but also access cookies from `private.users.com`, which is not intended to be embedded. [Read more about the motivations](https://github.com/privacycg/storage-access/issues/113) behind this change.
    - Consult the [Browser compatibility information](#browser_compatibility) to see which browsers implement which behavior.
 5. Once access is granted, a permission key is stored in the browser with the structure `<top-level site, embedded site>`. For example, if the embedding site is `embedder.com`, and the embed is `locator.example.com`, the key would be `<embedder.com, example.com>`. Same-site embeds (`docs.example.com`, `profile.example.com`, etc.) would then be able to call `requestStorageAccess()` and the promise would fulfill automatically, as mentioned earlier.
-   - Older versions of the spec used the more specific permission key structure `<top-level site, embedded origin>`, which meant that same-site embeds didn't match the permission key and had to go through the whole process separately.
+   - Older versions of the spec used the more specific permission key structure `<top-level site, embedded origin>`, which meant that same-site, cross-origin embeds didn't match the permission key and had to go through the whole process separately.
    - At the time of writing, only Chromium browsers had implemented the new behavior.
 
 > **Note:** The only exception to the "blocked by default" behavior is when a content embed makes a successful `requestStorageAccess()`, but then performs a same-origin navigation (for example reloading itself). In such cases, the storage access is carried over from the previous navigation.
@@ -51,13 +53,13 @@ As explained above, modern browsers implement various features and policies to r
 
 ## Security measures
 
-There are a number of different related security measures that could cause a {{domxref("Document.requestStorageAccess()")}} call to fail. Check the below list if you are having trouble getting a request to work:
+Several different security measures could cause a {{domxref("Document.requestStorageAccess()")}} call to fail. Check the below list if you are having trouble getting a request to work:
 
 1. The call must be associated with a user gesture ({{Glossary("transient activation")}}) such as a tap or click. This prevents embedded content on the page from spamming the browser or user with excessive access requests. Note that this isn't required if:
    - Permission to use the API has already been granted, for example by another same-site resource calling `requestStorageAccess()`.
-   - The caller is a top-level document, or same-site to the top-level document. In such cases, `requestStorageAccess()` probably doesn't need to be called at all.
+   - The caller is a top-level document or same-site to the top-level document. In such cases, `requestStorageAccess()` probably doesn't need to be called at all.
 2. The document and top-level document must not have a `null` origin.
-3. Origins that have never been interacted with as a first party do not have a notion of first-party storage. From the user's perspective, they only have a third-party relationship with that origin. Access requests are automatically denied if the browser detects that the user hasn't interacted with the embedded content in a first-party context recently (in Firefox, "recently" is "within 30 days").
+3. Origins that have never been interacted with as a first party do not have a notion of first-party storage. From the user's perspective, they only have a third-party relationship with that origin. Access requests are automatically denied if the browser detects that the user hasn't interacted with the embedded content in a first-party context recently (in Firefox, "recently" means within 30 days).
 4. The document's window must be a [secure context](/en-US/docs/Web/Security/Secure_Contexts).
 5. Sandboxed {{htmlelement("iframe")}}s cannot be granted storage access by default for security reasons. The API therefore also adds the `allow-storage-access-by-user-activation` [sandbox token](/en-US/docs/Web/HTML/Element/iframe#sandbox). The embedding website needs to add this to allow storage access requests to be successful, along with `allow-scripts` and `allow-same-origin` to allow it to execute a script to call the API and execute it in an origin that can have cookies:
 
@@ -76,15 +78,15 @@ There are a number of different related security measures that could cause a {{d
 
 ## Browser storage access policy variations
 
-Although the API surface is the same, websites using the Storage Access API should expect differences in the level and extent of cookie access they receive between different browsers, due to differences in their storage access policies.
+Although the API surface is the same, websites using the Storage Access API should expect differences in the level and extent of unpartitioned cookie access they receive between different browsers, due to differences in their storage access policies.
 
 ### Firefox
 
 Design properties unique to Firefox are summarized here:
 
-- If the embedded origin `tracker.example` has already obtained cookie access on the top-level origin `foo.example`, and the user visits a page from `foo.example` embedding a page from `tracker.example` again in less than 30 days, the embedded origin will have cookie access immediately when loading.
-- If an embedded page from `tracker.example` has previously successfully obtained cookie access on top-level origin `foo.example`, all embedded subresources from `tracker.example` on `foo.example` (e.g. scripts, images, stylesheets, etc.) will load with access to their cookies, which means they may send Cookie headers and honor incoming {{httpheader("Set-Cookie")}} headers.
-- In Firefox, when the promise returned from `requestStorageAccess()` is resolved, the embedded page will gain access to its entire first-party storage, not just cookies. This includes access to APIs such as [Web Storage](/en-US/docs/Web/API/Web_Storage_API), [IndexedDB](/en-US/docs/Web/API/IndexedDB_API), [DOM Cache](/en-US/docs/Web/API/Cache), and so on.
+- If the embedded origin `tracker.example` has already obtained unpartitioned cookie access on the top-level origin `foo.example`, and the user visits a page from `foo.example` embedding a page from `tracker.example` again in less than 30 days, the embedded origin will have unpartitioned cookie access immediately when loading.
+- If an embedded page from `tracker.example` has previously successfully obtained unpartitioned cookie access on top-level origin `foo.example`, all embedded subresources from `tracker.example` on `foo.example` (e.g. scripts, images, stylesheets, etc.) will load with access to their cookies, which means they may send Cookie headers and honor incoming {{httpheader("Set-Cookie")}} headers.
+- In Firefox, when the promise returned from `requestStorageAccess()` is resolved, the embedded page will gain access to its entire first-party storage, not just unpartitioned cookies. This includes access to APIs such as [Web Storage](/en-US/docs/Web/API/Web_Storage_API), [IndexedDB](/en-US/docs/Web/API/IndexedDB_API), [DOM Cache](/en-US/docs/Web/API/Cache), and so on.
 - The storage access grants are phased out after 30 calendar days have passed.
 
 Documentation for Firefox's new storage access policy for blocking tracking cookies includes [a detailed description](/en-US/docs/Web/Privacy/Storage_Access_Policy#storage_access_grants) of the scope of storage access grants.
@@ -95,21 +97,21 @@ Documentation for Firefox's new storage access policy for blocking tracking cook
 
 ## Examples
 
-See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for an implementation guide, with code examples.
+See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for an implementation guide with code examples.
 
 ## API methods
 
 - {{domxref("Document.hasStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to cookies.
+  - : Returns a {{jsxref("Promise")}} that resolves with a boolean value indicating whether the document has access to unpartitioned cookies.
 - {{domxref("Document.requestStorageAccess()")}}
-  - : Returns a {{jsxref("Promise")}} that resolves if the access to cookies was granted, and rejects if access was denied.
+  - : Returns a {{jsxref("Promise")}} that resolves if the access to unpartitioned cookies was granted, and rejects if access was denied.
 
 > **Note:** User interaction propagates to the promise returned by both of these methods, allowing the callers to take actions that require user interaction without requiring a second click from the user. For example, a caller could open a pop-up window from the resolved promise without triggering Firefox's pop-up blocker.
 
 ### Additions to other APIs
 
 - {{domxref("Permissions.query()")}}
-  - : You can call `Permissions.query()` with a value of `"storage-access"` to query whether cookie access has been granted in general, i.e. to another same-site embed. If so, you can call `requestStorageAccess()` without a user interaction, and the promise will resolve automatically.
+  - : You can call `Permissions.query()` with a value of `"storage-access"` to query whether unpartitioned cookie access has been granted in general, i.e. to another same-site embed. If so, you can call `requestStorageAccess()` without user interaction, and the promise will resolve automatically.
 
 ## Specifications
 
diff --git a/files/en-us/web/api/storage_access_api/using/index.md b/files/en-us/web/api/storage_access_api/using/index.md
index 1baaa53f466ef65..efb21cb4191ef28 100644
--- a/files/en-us/web/api/storage_access_api/using/index.md
+++ b/files/en-us/web/api/storage_access_api/using/index.md
@@ -6,13 +6,13 @@ page-type: guide
 
 {{DefaultAPISidebar("Storage Access API")}}
 
-The [Storage Access API](/en-US/docs/Web/API/Storage_Access_API) can be used by embedded cross-site documents to verify whether they have access to cookies and, if not, to request access. We'll briefly look at a common storage access scenario.
+The [Storage Access API](/en-US/docs/Web/API/Storage_Access_API) can be used by embedded cross-site documents to verify whether they have access to unpartitioned cookies and, if not, to request access. We'll briefly look at a common storage access scenario.
 
 ## Usage notes
 
-The Storage Access API is designed to allow embedded content to request access to cookies — most modern browsers block such access by default to protect user privacy. Since embedded content won't know what a browser's behavior is going to be in this regard, it's best to always check whether the embedded {{htmlelement("iframe")}} has storage access before attempting to read or write a cookie. This is particularly true for {{domxref("Document.cookie")}} access, as browsers will often return an empty cookie jar when third-party cookie access is blocked.
+The Storage Access API is designed to allow embedded content to request access to unpartitioned cookies — most modern browsers block such access by default to protect user privacy. Since embedded content won't know what a browser's behavior is going to be in this regard, it's best to always check whether the embedded {{htmlelement("iframe")}} has storage access before attempting to read or write a cookie. This is particularly true for {{domxref("Document.cookie")}} access, as browsers will often return an empty cookie jar when third-party cookie access is blocked.
 
-In the example below, we show how an embedded cross-site {{htmlelement("iframe")}} can access a user's cookies under a storage access policy that blocks third-party cookie access.
+In the example below, we show how an embedded cross-site {{htmlelement("iframe")}} can access unpartitioned cookies under a browser storage access policy that blocks third-party cookie access.
 
 ## Allowing a sandboxed \<iframe> to use the API
 
@@ -33,56 +33,54 @@ Now on to the code executed inside the embedded document. In this code:
 1. We first use feature detection (`if (document.hasStorageAccess === null) {}`) to check whether the API is supported. If not, we run our code that accesses cookies anyway, and hope that it works. It should be coded defensively to deal with such eventualities anyway.
 2. If the API is supported, we call `document.hasStorageAccess()`.
    3. If that call returns `true`, it means this {{domxref("iframe")}} has already obtained access, and we can run our code that accesses cookies right away.
-   4. If that call returns `false`, we then call {{domxref("Permissions.query()")}} to check whether permission to access cookies has already been granted (i.e. to another same-site embed).
+   4. If that call returns `false`, we then call {{domxref("Permissions.query()")}} to check whether permission to access unpartitioned cookies has already been granted (i.e. to another same-site embed).
       5. If the permission state is `"granted"`, we immediately call `document.requestStorageAccess()`. This call will automatically resolve, saving the user some time, then we can run our code that accesses cookies.
-      6. If the permission state is `"prompt"`, we call `document.requestStorageAccess()` after a user interaction. This call may trigger a prompt to the user. If this call resolves, then we can run our code that accesses cookies.
-      7. If the permission state is `"denied"`, then the user has denied our requests to access cookies, so our code cannot make use of them.
+      6. If the permission state is `"prompt"`, we call `document.requestStorageAccess()` after user interaction. This call may trigger a prompt to the user. If this call resolves, then we can run our code that accesses cookies.
+      7. If the permission state is `"denied"`, the user has denied our requests to access unpartitioned cookies, and our code cannot make use of them.
 
 ```js
 function doThingsWithCookies() {
   document.cookie = "foo=bar"; // set a cookie
 }
 
-if (document.hasStorageAccess === null) {
-  // This browser doesn't support the Storage Access API
-  // so let's just hope we have access!
-  doThingsWithCookies();
-} else {
-  document.hasStorageAccess().then((hasAccess) => {
+async function handleCookieAccess() {
+  if (document.hasStorageAccess === null) {
+    // This browser doesn't support the Storage Access API
+    // so let's just hope we have access!
+    doThingsWithCookies();
+  } else {
+    const hasAccess = await document.hasStorageAccess();
     if (hasAccess) {
-      // We have access to cookies, so let's go
+      // We have access to unpartitioned cookies, so let's go
       doThingsWithCookies();
     } else {
-      // Check whether cookie access has been granted to another same-site embed
-      navigator.permissions.query({ name: "storage-access" }).then((result) => {
-        if (result.state === "granted") {
-          // If so, you can just call requestStorageAccess() without a user interaction,
-          // and it will resolve automatically.
-          document
-            .requestStorageAccess()
-            .then(() => {
-              doThingsWithCookies();
-            })
-        } else if (result.state === "prompt") {
-          // Need to call requestStorageAccess() after a user interaction
-          btn.addEventListener("click", () => {
-            document
-              .requestStorageAccess()
-              .then(() => {
-                doThingsWithCookies();
-              })
-              .catch((err) => {
-                // If there is an error obtaining storage access.
-                console.error(`Error obtaining storage access: ${err}.
-                               Please sign in.`);
-              });
-          });
-        } else if (result.state === "denied") {
-          // User has denied cookie access, so we'll need to do something else
-        }
-      });
+      // Check whether unpartitioned cookie access has been granted
+      // to another same-site embed
+      const permission = await navigator.permissions.query({ name: "storage-access" });
+
+      if (permission.state === "granted") {
+        // If so, you can just call requestStorageAccess() without a user interaction,
+        // and it will resolve automatically.
+        await document.requestStorageAccess();
+        doThingsWithCookies();
+      } else if (permission.state === "prompt") {
+        // Need to call requestStorageAccess() after a user interaction
+        btn.addEventListener("click", async () => {
+          try {
+            await document.requestStorageAccess();
+            doThingsWithCookies();
+          } catch(err) {
+            // If there is an error obtaining storage access.
+            console.error(`Error obtaining storage access: ${err}.
+                          Please sign in.`);
+          };
+        });
+      } else if (permission.state === "denied") {
+        // User has denied unpartitioned cookie access, so we'll
+        // need to do something else
+      }
     }
-  });
+  }
 }
 ```
 
diff --git a/files/en-us/web/html/element/iframe/index.md b/files/en-us/web/html/element/iframe/index.md
index a34490cbbd85c61..4926a9de4cf7437 100644
--- a/files/en-us/web/html/element/iframe/index.md
+++ b/files/en-us/web/html/element/iframe/index.md
@@ -84,7 +84,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
     - `allow-presentation`: Allows embedders to have control over whether an iframe can start a [presentation session](/en-US/docs/Web/API/PresentationRequest).
     - `allow-same-origin`: If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs).
     - `allow-scripts`: Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
-    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Allows a document loaded in the `<iframe>` to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to cookies.
+    - `allow-storage-access-by-user-activation` {{experimental_inline}}: Allows a document loaded in the `<iframe>` to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to unpartitioned cookies.
     - `allow-top-navigation`: Lets the resource navigate the top-level browsing context (the one named `_top`).
     - `allow-top-navigation-by-user-activation`: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
     - `allow-top-navigation-to-custom-protocols`: Allows navigations to non-`http` protocols built into browser or [registered by a website](/en-US/docs/Web/API/Navigator/registerProtocolHandler/Web-based_protocol_handlers). This feature is also activated by `allow-popups` or `allow-top-navigation` keyword.
diff --git a/files/en-us/web/http/headers/permissions-policy/index.md b/files/en-us/web/http/headers/permissions-policy/index.md
index 2232215c131280f..57d76fad2a51c22 100644
--- a/files/en-us/web/http/headers/permissions-policy/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/index.md
@@ -179,7 +179,7 @@ You can specify
 
 - {{httpheader("Permissions-Policy/storage-access", "storage-access")}} {{Experimental_Inline}}
 
-  - : Controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to cookies.
+  - : Controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to unpartitioned cookies.
 
 - {{httpheader('Permissions-Policy/usb', 'usb')}} {{Experimental_Inline}}
 
diff --git a/files/en-us/web/http/headers/permissions-policy/storage-access/index.md b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
index 16a77e2e067fb78..ab3e10c2262b97c 100644
--- a/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/storage-access/index.md
@@ -9,9 +9,9 @@ browser-compat: http.headers.Permissions-Policy.storage-access
 
 {{HTTPSidebar}}{{SeeCompatTable}}
 
-The HTTP {{HTTPHeader("Permissions-Policy")}} header `storage-access` directive controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to cookies.
+The HTTP {{HTTPHeader("Permissions-Policy")}} header `storage-access` directive controls whether a document loaded in a third-party context (i.e. embedded in an {{htmlelement("iframe")}}) is allowed to use the {{domxref("Storage Access API", "Storage Access API", "", "nocode")}} to request access to unpartitioned cookies.
 
-This is relevant to user agents that by default block access to cookies by sites loaded in a third-party context to improve privacy (e.g. to prevent tracking).
+This is relevant to user agents that by default block access to unpartitioned cookies by sites loaded in a third-party context to improve privacy (for example, to prevent tracking).
 
 Specifically, where a defined policy blocks use of this feature, {{domxref("Document.requestStorageAccess()")}} calls will return a {{jsxref("Promise")}} that rejects with a {{domxref("DOMException")}} of type `NotAllowedError`.
 

From b9427dcb26432f8bfcae188668e937df943edf30 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 16 May 2023 09:45:36 +0100
Subject: [PATCH 05/11] Update
 files/en-us/web/api/storage_access_api/using/index.md

Co-authored-by: Brian Thomas Smith <brian@smith.berlin>
---
 files/en-us/web/api/storage_access_api/using/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/storage_access_api/using/index.md b/files/en-us/web/api/storage_access_api/using/index.md
index efb21cb4191ef28..f1161ae55bff796 100644
--- a/files/en-us/web/api/storage_access_api/using/index.md
+++ b/files/en-us/web/api/storage_access_api/using/index.md
@@ -32,7 +32,7 @@ Now on to the code executed inside the embedded document. In this code:
 
 1. We first use feature detection (`if (document.hasStorageAccess === null) {}`) to check whether the API is supported. If not, we run our code that accesses cookies anyway, and hope that it works. It should be coded defensively to deal with such eventualities anyway.
 2. If the API is supported, we call `document.hasStorageAccess()`.
-   3. If that call returns `true`, it means this {{domxref("iframe")}} has already obtained access, and we can run our code that accesses cookies right away.
+   3. If that call returns `true`, it means this {{htmlelement("iframe")}} has already obtained access, and we can run our code that accesses cookies right away.
    4. If that call returns `false`, we then call {{domxref("Permissions.query()")}} to check whether permission to access unpartitioned cookies has already been granted (i.e. to another same-site embed).
       5. If the permission state is `"granted"`, we immediately call `document.requestStorageAccess()`. This call will automatically resolve, saving the user some time, then we can run our code that accesses cookies.
       6. If the permission state is `"prompt"`, we call `document.requestStorageAccess()` after user interaction. This call may trigger a prompt to the user. If this call resolves, then we can run our code that accesses cookies.

From 3d503f177af63e57180fda26d0a59fa9adee115c Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 16 May 2023 09:46:48 +0100
Subject: [PATCH 06/11] Update
 files/en-us/web/api/document/hasstorageaccess/index.md

Co-authored-by: Brian Thomas Smith <brian@smith.berlin>
---
 files/en-us/web/api/document/hasstorageaccess/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/document/hasstorageaccess/index.md b/files/en-us/web/api/document/hasstorageaccess/index.md
index 40ce9898fbd47cf..fa75e4bc852b6e5 100644
--- a/files/en-us/web/api/document/hasstorageaccess/index.md
+++ b/files/en-us/web/api/document/hasstorageaccess/index.md
@@ -28,7 +28,7 @@ A {{jsxref("Promise")}} that resolves with a boolean value indicating whether th
 
 The result returned by this method can be inaccurate in a couple of circumstances:
 
-1. The user may have browser settings active that block unpartitioned cookies entirely — in this case `true` may be returned even though unpartitioned cookies are still inaccessible. To handle such a situation, you are advised to gracefully handle any errors resulting in cookie values being unretrievable, for example by telling the user that unfortunately access to their personalized settings was blocked, and inviting them to sign in again to make use of them.
+1. The user may have browser settings active that block unpartitioned cookies entirely — in this case `true` may be returned even though unpartitioned cookies are still inaccessible. To handle such a situation, you should gracefully handle any errors resulting in cookie values being unretrievable; for example, inform the user that access to their personalized settings is blocked and invite them to sign in again to use them.
 2. The browser might not block third-party cookie access by default — in this case `false` may be returned even though unpartitioned cookies are accessible, and storage access wouldn't need to be requested (i.e. via {{domxref("Document.requestStorageAccess()")}}). To get around this issue, you could query {{domxref("Document.cookie")}} to find out whether your cookies are accessible, and call {{domxref("Document.requestStorageAccess()")}} if they are not.
 
 > **Note:** If the promise gets resolved and a user gesture event was being processed when the function was originally called, the resolve handler will run as if a user gesture was being processed, so it will be able to call APIs that require user activation.

From 3aa03e5a48cf8dc94075b7355348c4beacf316d7 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 16 May 2023 09:47:06 +0100
Subject: [PATCH 07/11] Update
 files/en-us/web/api/document/requeststorageaccess/index.md

Co-authored-by: Brian Thomas Smith <brian@smith.berlin>
---
 files/en-us/web/api/document/requeststorageaccess/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/document/requeststorageaccess/index.md b/files/en-us/web/api/document/requeststorageaccess/index.md
index 2532e2643b6b7a1..dce179245252e0a 100644
--- a/files/en-us/web/api/document/requeststorageaccess/index.md
+++ b/files/en-us/web/api/document/requeststorageaccess/index.md
@@ -28,7 +28,7 @@ None.
 
 A {{jsxref("Promise")}} that fulfills with `undefined` if the access to unpartitioned cookies was granted, and rejects if access was denied.
 
-`requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}), or unless permission was already granted previously. If permission was not previously granted, they need to be run inside some kind of user gesture-based event handler. The user gesture behavior depends on the state of the promise:
+`requestStorageAccess()` requests are automatically denied unless the embedded content is currently processing a user gesture such as a tap or click ({{Glossary("transient activation")}}), or unless permission was already granted previously. If permission was not previously granted, they need to be run inside a user gesture-based event handler. The user gesture behavior depends on the state of the promise:
 
 - If the promise resolves (i.e. if permission was granted), then the user gesture has not been consumed, so the script can subsequently call APIs that require a user gesture.
 - If the promise rejects (i.e. permission was not granted), then the user gesture has been consumed, so the script can't do anything that requires a gesture. This is intentional protection against abuse — it prevents scripts from calling `requestStorageAccess()` in a loop until the user accepts the prompt.

From eac4efc5d3ae3ee3267eed0b58dd63a7b85136a0 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 16 May 2023 09:47:40 +0100
Subject: [PATCH 08/11] Update files/en-us/web/api/storage_access_api/index.md

Co-authored-by: Brian Thomas Smith <brian@smith.berlin>
---
 files/en-us/web/api/storage_access_api/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/storage_access_api/index.md b/files/en-us/web/api/storage_access_api/index.md
index 20aa3bf0d937e98..38b33ab9364f67b 100644
--- a/files/en-us/web/api/storage_access_api/index.md
+++ b/files/en-us/web/api/storage_access_api/index.md
@@ -38,7 +38,7 @@ As explained above, modern browsers implement various features and policies to r
 3. Depending on the browser, the user will be asked whether to grant access to the requesting embed in slightly different ways.
    - Safari shows prompts for all embedded content that has not previously received storage access.
    - Firefox only prompts users after an origin has requested storage access on more than a threshold number of sites.
-   - At the time of writing, Chrome doesn't prompt the user. Instead, it only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href="https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/">first-party set</a>. This behavior will change as the implementation is developed further.
+   - At the time of writing, Chrome doesn't prompt the user. Instead, it only resolves `requestStorageAccess()` calls that come from domains within a [first-party set](https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/). This behavior will change as the implementation is developed further.
 4. Access is granted or denied based on whether the content meets all the security requirements (see [Security measures](#security_measures), below). The {{jsxref("Promise")}}-based nature of `requestStorageAccess()` allows you to run code to handle success and failure cases.
    - Modern spec behavior dictates that access is granted **per-frame** — every separate content embed has its unpartitioned cookie access blocked by default, and needs to call `requestStorageAccess()` to opt-in to access. If a content embed has received access, and same-site embeds then call `requestStorageAccess()`, their promises will fulfill automatically. But they still need to opt-in.
    - In older versions of the spec, the access was **per-page**. As soon as one embed received unpartitioned cookie access via `requestStorageAccess()`, all other same-site embeds would automatically receive access. This was not desirable behavior from a security standpoint — for example, if `shop.example.com` embedded `locator.users.com` to allow users to use their location info while shopping, and `locator.users.com` called `requestStorageAccess()`, `shop.example.com` and any other sites it embeds would be able to access its cookies, but also access cookies from `private.users.com`, which is not intended to be embedded. [Read more about the motivations](https://github.com/privacycg/storage-access/issues/113) behind this change.

From 602992801e717f4b23649ae3118fb8f3f8c62a43 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 16 May 2023 09:47:55 +0100
Subject: [PATCH 09/11] Update files/en-us/web/api/storage_access_api/index.md

Co-authored-by: Brian Thomas Smith <brian@smith.berlin>
---
 files/en-us/web/api/storage_access_api/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/storage_access_api/index.md b/files/en-us/web/api/storage_access_api/index.md
index 38b33ab9364f67b..05e2ec6ad01586a 100644
--- a/files/en-us/web/api/storage_access_api/index.md
+++ b/files/en-us/web/api/storage_access_api/index.md
@@ -72,7 +72,7 @@ Several different security measures could cause a {{domxref("Document.requestSto
    ```
 
 6. Usage of this feature may be blocked by a {{httpheader("Permissions-Policy/storage-access", "storage-access")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server.
-7. At the time of writing, Chrome only resolves <code>requestStorageAccess()</code> calls that come from domains within a <a href="https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/">first-party set</a>. This restriction is intended to be relaxed as the implementation is developed further.
+7. At the time of writing, Chrome only resolves `requestStorageAccess()` calls that come from domains within a [first-party set](https://developer.chrome.com/docs/privacy-sandbox/first-party-sets/). This restriction is intended to be relaxed as the implementation is developed further.
 
 > **Note:** The document may also be required to pass additional browser-specific checks. Examples: allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission.
 

From 6497c0818fc636d9d33bf951c79d2743a5a88592 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 16 May 2023 09:48:07 +0100
Subject: [PATCH 10/11] Update
 files/en-us/web/api/document/hasstorageaccess/index.md

Co-authored-by: Brian Thomas Smith <brian@smith.berlin>
---
 files/en-us/web/api/document/hasstorageaccess/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/document/hasstorageaccess/index.md b/files/en-us/web/api/document/hasstorageaccess/index.md
index fa75e4bc852b6e5..3ac71359508e0c3 100644
--- a/files/en-us/web/api/document/hasstorageaccess/index.md
+++ b/files/en-us/web/api/document/hasstorageaccess/index.md
@@ -51,7 +51,7 @@ document.hasStorageAccess().then((hasAccess) => {
 });
 ```
 
-> **Note:** See [Using the Storage Access API](/docs/Web/API/Storage_Access_API/Using) for a more complete example.
+> **Note:** See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for a more complete example.
 
 ## Specifications
 

From 43fc434532f0801d1be34fc82fde5161c1c9d753 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 16 May 2023 09:48:19 +0100
Subject: [PATCH 11/11] Update
 files/en-us/web/api/document/requeststorageaccess/index.md

Co-authored-by: Brian Thomas Smith <brian@smith.berlin>
---
 files/en-us/web/api/document/requeststorageaccess/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/document/requeststorageaccess/index.md b/files/en-us/web/api/document/requeststorageaccess/index.md
index dce179245252e0a..ac8b11e4db5dc69 100644
--- a/files/en-us/web/api/document/requeststorageaccess/index.md
+++ b/files/en-us/web/api/document/requeststorageaccess/index.md
@@ -57,7 +57,7 @@ document.requestStorageAccess().then(
 );
 ```
 
-> **Note:** See [Using the Storage Access API](/docs/Web/API/Storage_Access_API/Using) for a more complete example.
+> **Note:** See [Using the Storage Access API](/en-US/docs/Web/API/Storage_Access_API/Using) for a more complete example.
 
 ## Specifications