The Storage Access API (SAA)
enables cross-origin iframes to request storage access permissions when access
would otherwise be denied by browser settings.
Some websites may use both FedCM for authentication, and SAA to allow
cross-origin iframes to access required storage. For example, if idp.example
is embedded on rp.example, and idp.example needs storage access to its own
top-level cookie to show personalized content.
In this scenario, the user needs to approve two different prompts: one for
authentication and another to grant cookie access, as SAA would trigger a
permission
prompt. FedCM
simplifies the Storage Access API process by acting as a trust
signal. Once the user logs in with
FedCM, the IdP-initiated storage access requests are automatically granted,
eliminating the need for additional SAA prompts.
// In top-level rp.example:// Ensure FedCM permission has been granted.constcred=awaitnavigator.credentials.get({identity:{providers:[{configURL:'https://idp.example/fedcm.json',clientId:'123',}],}});// In an embedded IdP iframe:// Returns `true` if the user already has access to cookies, and `false` if// the user doesn't have access yet and needs to request it.consthasAccess=awaitdocument.hasStorageAccess()if(!hasAccess){// No user gesture is needed to approve storage access, and the call will be auto-granted.document.requestStorageAccess().then(e=>{//access cookies})}else{//the iframe already has access to third-party cookies}
Origin
trial
participants have provided positive feedback, highlighting the improved user
experience enabled by a context-specific FedCM prompt over generic Storage
Access API prompts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-15 UTC."],[[["Chrome now uses FedCM as a trust signal for the Storage Access API, streamlining cross-origin iframe storage access when users are logged in with FedCM."],["This integration eliminates the need for separate Storage Access API prompts, simplifying the user experience and reducing prompt fatigue."],["Websites using both FedCM and the Storage Access API benefit from this feature, as users only need to authenticate once with FedCM for both login and storage access."],["Developers can learn more about implementation and feedback channels through provided documentation and issue tracking links."],["Positive feedback from origin trial participants suggests that FedCM-based storage access improves user experience compared to generic prompts."]]],["Chrome 131 utilizes FedCM as a trust signal for the Storage Access API (SAA). When a user logs in via FedCM, storage access requests from Identity Providers (IdPs) are automatically granted, removing the need for additional SAA prompts. Websites using both FedCM and SAA see streamlined access. Without FedCM, the user needs to approve separate prompts for authentication and cookie access. `document.requestStorageAccess()` becomes auto-granted, and cookies will be available. If `navigator.credentials.preventSilentAccess()` is called, storage access is not granted until reauthentication.\n"]]
