FF145 Storage Access HTTP headers

[hamishwillee]

FF145 supports the HTTP headers Activate-Storage-Access and Sec-Fetch-Storage-Access in nightly, and they are already supported in Chrome 133.

This adds docs. Bit of a slog. Mostly untangling the language we use around accessing the permission in the normal API docs.
The Sec-Fetch-Storage-Access language makes this easier by clearly separating the permission that is granted to a particular embedded/embedder site key, and activating that permission for a particular context.

I've tried to rewrite the how it works and add sequences that shows how this works. For the headers, Activate-Storage-Access
has lots of docs and is linked from Sec-Fetch-Storage-Access.
I have not updated "Using" doc. I probably should, but might do that when this is actually released.

Spec is https://privacycg.github.io/storage-access-headers , explainer is https://github.com/privacycg/storage-access-headers/blob/d73c092919f0ca44c02c0890c078046ef8a63a88/README.md

Related docs work can be tracked in #41499

[github-actions]

Preview URLs

• /en-US/docs/Web/API/Storage_Access_API
• /en-US/docs/Web/HTTP/Reference/Headers/Activate-Storage-Access
• /en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Storage-Access
• /en-US/docs/Web/HTTP/Reference/Headers

Flaws (6)

Note! 2 documents with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/HTTP/Reference/Headers
Title: HTTP headers
Flaw count: 3

• macros:
  • Can't resolve /en-US/docs/Web/HTTP/Reference/Headers/Accept-Signature
  • Can't resolve /en-US/docs/Web/HTTP/Reference/Headers/Signature
  • Can't resolve /en-US/docs/Web/HTTP/Reference/Headers/Signed-Headers

---

URL: /en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Storage-Access
Title: Sec-Fetch-Storage-Access header
Flaw count: 3

• unknown:
  • No generic content config found
  • no blog root
  • no blog root

External URLs (2)

URL: /en-US/docs/Web/API/Storage_Access_API
Title: Storage Access API

• https://github.com/privacycg/storage-access/issues/113 (1 time) (Note! This may be a new URL 👀)

---

URL: /en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Storage-Access
Title: Sec-Fetch-Storage-Access header

• https://secmetadata.appspot.com/ (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2025-11-07 09:28:59)

[chrisdavidmills]

@hamishwillee removing myself for now. When this is finished, feel free to add me back to review; happy to do so.

[bsmth]

Ditto! Add me back on as a reviewer when you're ready for a look 👀

[hamishwillee]

@chrisdavidmills @bsmth I've added you back as reviewers as this is a reasonable first shot.

Apologies that it is a bit rough - I have not yet self-subedited. Given I'm away after Friday this is the only way I can be sure it has a chance of being ready for the release. If it is simply not close to good enough we can wait though, as I did the release not separately.

[chrisdavidmills]

@hamishwillee this is a truly heroic bit of work. I've got a whole bunch of nitpicky language comments, but it largely makes sense.

[hamishwillee]

@hamishwillee this is a truly heroic bit of work. I've got a whole bunch of nitpicky language comments, but it largely makes sense.

THanks @chrisdavidmills - and thanks for your timely and heroic review. I did find it hard - the previous terminology didn't lend itself to integrating this update.

Should be good to look at again. I have accepted pretty much all your suggestions. Only not reduced the description of the ActivateX... header - as noted, I don't think I can and leave it useful.

[hamishwillee]

PS Feel free to merge if remaining fixes end up being nits :-). I'm away so if it is essentially good enough then better to get it in.

[chrisdavidmills]

@hamishwillee hurrah, I think this is ready to go in! Great work, man.