HTTP headers support for the Storage Access API

Natalia Markoborodova
Natalia Markoborodova
X GitHub Glitch

After a successful origin trial, we're shipping Storage Access Headers (SAH) in Chrome 133.

What are Storage Access Headers?

Storage Access Headers are new HTTP headers that allow embedded content (like social media widgets, calendars, interactive tools, and images) to check for unpartitioned cookie access. Previously, this was possible only with JavaScript. The new Sec-Fetch-Storage-Access request header and Activate-Storage-Access response header improve performance and user experience for websites that rely on embedded content, and support loading of non-iframe resources. Explore the documentation for implementation details.

Request header

  Sec-Fetch-Storage-Access: <access-status>

When a user visits a page that embeds cross-site content, the browser automatically includes the Sec-Fetch-Storage-Access header in cross-site requests that might require credentials (like cookies). This header indicates the embed's cookie access permission status, and can have the following values:

  • none: The embed doesn't have the storage-access permission, and therefore doesn't have access to unpartitioned cookie access.

  • inactive: The embed has the storage-access permission, but has not opted into using it in its current context. The embed does not have unpartitioned cookie access.

  • active: The embed has unpartitioned cookie access. This value will be included on any cross-origin requests that have access to unpartitioned cookies.

Response headers

  Activate-Storage-Access: <retry-or-load>

The Activate-Storage-Access header instructs the browser to either retry the request with cookies or load the resource directly with the Storage Access API (SAA) activated. The header can have the following values:

  • load: Instructs the browser to grant the embedder access to unpartitioned cookies for the requested resource. Including this header is equivalent to calling document.requestStorageAccess() if the storage-access permission has been granted. No additional prompt will be displayed to the user.

  • retry: The server responds that the browser should activate the storage-access permission, then retry the request.

  Activate-Storage-Access: retry; allowed-origin="https://site.example"
  Activate-Storage-Access: retry; allowed-origin=*
  Activate-Storage-Access: load

Key advantages

Storage Access Headers is a recommended, more performant way to use the Storage Access API (SAA). Overall, this change brings several improvements:

  • Non-iframe embeds support: Enables SAA for a wider range of resources.
  • Reduced network usage: Fewer requests and smaller payloads.
  • Lower CPU usage: Less JavaScript processing.
  • Improved UX: Eliminates disruptive intermediate loads.

Update your solution

With the Storage Access Headers feature, there are two cases where you may want to update your code:

  • You use SAA and want to achieve better performance by using header logic for subsequent storage-access requests.
  • You have validation or logic that depends on whether the Origin header is included in the request to your server.

Check out our documentation to learn how to use Storage Access Headers in your solution.

Engage and share feedback

If you have feedback or encounter any problems, you can file an issue. You can also learn more about the Storage Access Headers on the GitHub explainer.