From a8db40731075f0fd4d2f04a2eddb8775467e4029 Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Fri, 18 Nov 2022 13:48:58 +0000 Subject: [PATCH 01/10] Use the Permissions API --- storage-access.bs | 65 +++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 36 deletions(-) diff --git a/storage-access.bs b/storage-access.bs index 2751e06..e7db08d 100644 --- a/storage-access.bs +++ b/storage-access.bs @@ -148,8 +148,6 @@ A storage access flag set is a set of zero or more of the following f : The has storage access flag :: When set, this flag indicates |embedded origin| has access to its [=unpartitioned data=] when it's loaded in a [=third party context=] on |top-level site|. -: The was expressly denied storage access flag -:: When set, this flag indicates that the user expressly denied |embedded origin| access to its [=unpartitioned data=] when it's loaded in a [=third party context=] on |top-level site|. To obtain a storage access flag set for a [=partitioned storage key=] |key| from a [=/storage access map=] |map|, run the following steps: @@ -158,10 +156,6 @@ To obtain a storage access flag set for a [=partit 1. [=map/Set=] |map|[|key|] to |flags|. 1. Return |map|[|key|]. -To save the storage access flag set for a [=partitioned storage key=] |key| in a [=/storage access map=] |map|, run the following steps: - -1. [=map/Set=] [=global storage access map=][|key|] to |map|[|key|]. -

Changes to {{Document}}

@@ -187,14 +181,7 @@ When invoked on {{Document}} |doc|, the ha
 1. If |doc|'s [=Document/origin=] is [=same origin=] with the [=top-level origin=] of |doc|'s [=relevant settings object=], [=/resolve=] |p| with true and return |p|.
 1. Let |key| be the result of [=generate a partitioned storage key|generating a partitioned storage key=] from |doc|.
 1. If |key| is failure, [=resolve=] |p| with false and return |p|.
-1. Run these steps [=in parallel=]:
-    1. Let |map| be the result of [=obtain the storage access map|obtaining the storage access map=] for |doc|.
-    1. Let |flag set| be the result of [=obtain a storage access flag set|obtaining the storage access flag set=] with |key| from |map|.
-    1. If |flag set|'s [=was expressly denied storage access flag=] is set, [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p| with false, and abort these steps.
-    1. If |flag set|'s [=has storage access flag=] is set, [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p| with true, and abort these steps.
-    1. Let |hasAccess| be [=a new promise=].
-    1. [=Determine the storage access policy=] with |key|, |doc| and |hasAccess|.
-    1. [=Queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p| with the result of |hasAccess|.
+1. [=Resolve=] or [=reject=] |p| based on the result of running [=determine if a site has storage access=] with |key| and |doc|.
 1. Return |p|.
 
 ISSUE: Shouldn't step 8 be [=same site=]?
@@ -220,7 +207,6 @@ When invoked on {{Document}} |doc|, the re
 1. If |key| is failure, [=reject=] |p| with a "{{NotAllowedError}}" {{DOMException}} and return |p|.
 1. Let |map| be the result of [=obtain the storage access map|obtaining the storage access map=] for |doc|.
 1. Let |flag set| be the result of [=obtain a storage access flag set|obtaining the storage access flag set=] with |key| from |map|.
-1. If |flag set|'s [=was expressly denied storage access flag=] is set, [=reject=] |p| with a "{{NotAllowedError}}" {{DOMException}} and return |p|.
 1. If |flag set|'s [=has storage access flag=] is set, [=/resolve=] and return |p|.
 1. Otherwise, run these steps [=in parallel=]:
     1. Let |hasAccess| be [=a new promise=].
@@ -228,7 +214,6 @@ When invoked on {{Document}} |doc|, the re
     1. [=Queue a global task=] on the [=permission task source=] given |global| to
         1. Set |flag set|'s [=has storage access flag=].
         1. Resolve or reject |p| based on the result of |hasAccess|.
-    1. [=Save the storage access flag set=] for |key| in |map|.
 1. Return |p|.
 
 ISSUE: Shouldn't step 9 be [=same site=]?
@@ -242,37 +227,22 @@ To determine if a site has storage access with [=p
 1. Let |map| be the result of [=obtain the storage access map|obtaining the storage access map=] for |doc|.
 1. Let |flag set| be the result of [=obtain a storage access flag set|obtaining the storage access flag set=] with |key| from |map|.
 1. If |flag set|'s [=has storage access flag=] is set, return true.
-1. Let |has storage access| (a [=boolean=]) be the result of running an [=implementation-defined=] set of steps to determine if |key|'s [=partitioned storage key/embedded origin=] has access to its [=unpartitioned data=] on |key|'s [=partitioned storage key/top-level site=].
-1. If |has storage access| is true, set |flag set|'s [=has storage access flag=].
-1. [=Save the storage access flag set=] for |key| in |map|.
-1. Return |has storage access|.
+1. Return false.
 
 To determine the storage access policy for [=partitioned storage key=] |key| with {{Document}} |doc| and {{Promise}} |p|, run these steps:
 
 1. Let |map| be the result of [=obtain the storage access map|obtaining the storage access map=] for |doc|.
 1. Let |flag set| be the result of [=obtain a storage access flag set|obtaining the storage access flag set=] with |key| from |map|.
 1. Let |implicitly granted| and |implicitly denied| (each a [=boolean=]) be the result of running an [=implementation-defined=] set of steps to determine if |key|'s [=partitioned storage key/embedded origin=]'s request for storage access on |key|'s [=partitioned storage key/top-level site=] should be granted or denied without prompting the user.
-
-    Note: These [=implementation-defined=] set of steps might result in |flag set|'s [=has storage access flag=] and [=was expressly denied storage access flag=] changing, since the User Agent could have relevant out-of-band information (e.g. a user preference that changed) that this specification is unaware of.
 1. Let |global| be |doc|'s [=relevant global object=].
 1. If |implicitly granted| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
 1. If |implicitly denied| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return |p|.
-1. Ask the user if they would like to grant |key|'s [=partitioned storage key/embedded origin=] access to its [=unpartitioned data=] when it's loaded in a [=third party context=] on |key|'s [=partitioned storage key/top-level site=], and wait for an answer. Let |expressly granted| and |expressly denied| (both [=booleans=]) be the result.
-
-    Note: While |expressly granted| and |expressly denied| cannot both be true, they could both be false in User Agents which allow users to dismiss the prompt without choosing to allow or deny the request. (Such a dismissal is interpreted in this algorithm as a denial.)
-1. If |expressly granted| is true, run these steps:
-    1. Unset |flag set|'s [=was expressly denied storage access flag=].
-    1. [=Save the storage access flag set=] for |key| in |map|.
-    1. [=Queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
+1. Let |permissionState| be the result of [=requesting permission to use=] "storage-access".
+1. If |permissionState| is "granted", [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
 1. Unset |flag set|'s [=has storage access flag=].
-1. If |expressly denied| is true, run these steps:
-    1. If |doc|'s {{Window}} object has [=transient activation=], [=consume user activation=] with it.
-    1. Set |flag set|'s [=was expressly denied storage access flag=].
-1. [=Save the storage access flag set=] for |key| in |map|.
+1. If |doc|'s {{Window}} object has [=transient activation=], [=consume user activation=] with it.
 1. [=Queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}.
 
-ISSUE: [since this is UA-defined, does it make sense to follow-up separately with a user prompt?](https://github.com/privacycg/storage-access/pull/24#discussion_r408784492)
-
 
 
 Before changing the current entry of a session history, run the following steps:
@@ -283,7 +253,6 @@ Before changing the current entry of a session history, run the following steps:
 1. If |key| is failure, abort these steps.
 1. Let |flag set| be the result of [=obtain a storage access flag set|obtaining the storage access flag set=] with |key| from |map|.
 1. Unset |flag set|'s [=has storage access flag=].
-1. [=Save the storage access flag set=] for |key| in |map|.
 
 ISSUE(privacycg/storage-access#3): What this section should look like ultimately hinges on
 
@@ -313,6 +282,30 @@ To the [=parse a sandboxing directive=] algorithm, add the following under step
 
  • The [=sandbox storage access by user activation flag=], unless tokens contains the allow-storage-access-by-user-activation keyword.
 
 
+
    Permissions Integration
    
+
+The Storage Access API defines a [=powerful feature=] identified by the [=powerful feature/name=] `"storage-access"`.
+
+
    Changes to generate a permission store key
    
+
+Update the generate a permission store key algorithm to take the [=powerful feature/name=] |name|. Prepend the following steps to it:
+
+1. If |name| is "storage-access", run the following steps:
+    1. Let |topLevelOrigin| be |settings|' [=environment/top-level origin].
+    1. Let |embeddedOrigin| be |settings|' [=environment/origin].
+    1. Return (|topLevelOrigin|, |embeddedOrigin|).
+
+
    Changes to compare permission store keys
    
+
+Update the compare permission store keys algorithm to take the [=powerful feature/name=] |name|. Prepend the following steps to it:
+
+1. If |name| is "storage-access", run the following steps:
+    1. Let |topLevelSite1| be the result of [=obtaining a site=] from |key1|'s permission store key/top-level origin.
+    1. Let |topLevelSite2| be the result of [=obtaining a site=] from |key2|'s permission store key/top-level origin.
+    1. If |topLevelSite1| is not [=same site=] with |topLevelSite2|, return false.
+    1. If |key1|'s permission store key/granted origin is not [=same origin=] with |key2|'s permission store key/granted origin, return false.
+    1. Return true.
+
 
    Permissions Policy Integration
    
 
 The Storage Access API defines a [=policy-controlled feature=] identified by the string `"storage-access"`. Its [=default allowlist=] is `"*"`.

From e4c2e6a2570c00bfe97813d6f5627eb6cd190f5f Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Tue, 22 Nov 2022 10:47:48 +0000
Subject: [PATCH 02/10] Better permissions reference, fix other references

---
 storage-access.bs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/storage-access.bs b/storage-access.bs
index e7db08d..8a4167d 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -284,22 +284,22 @@ To the [=parse a sandboxing directive=] algorithm, add the following under step
 
 
    Permissions Integration
    
 
-The Storage Access API defines a [=powerful feature=] identified by the [=powerful feature/name=] `"storage-access"`.
+The Storage Access API defines a [=powerful feature=] identified by the [=powerful feature/name=] "storage-access".
 
 
    Changes to generate a permission store key
    
 
 Update the generate a permission store key algorithm to take the [=powerful feature/name=] |name|. Prepend the following steps to it:
 
-1. If |name| is "storage-access", run the following steps:
-    1. Let |topLevelOrigin| be |settings|' [=environment/top-level origin].
-    1. Let |embeddedOrigin| be |settings|' [=environment/origin].
+1. If |name| is "storage-access", run the following steps:
+    1. Let |topLevelOrigin| be |settings|' [=top-level origin=].
+    1. Let |embeddedOrigin| be |settings|' [=environment settings object/origin=].
     1. Return (|topLevelOrigin|, |embeddedOrigin|).
 
 
    Changes to compare permission store keys
    
 
 Update the compare permission store keys algorithm to take the [=powerful feature/name=] |name|. Prepend the following steps to it:
 
-1. If |name| is "storage-access", run the following steps:
+1. If |name| is "storage-access", run the following steps:
     1. Let |topLevelSite1| be the result of [=obtaining a site=] from |key1|'s permission store key/top-level origin.
     1. Let |topLevelSite2| be the result of [=obtaining a site=] from |key2|'s permission store key/top-level origin.
     1. If |topLevelSite1| is not [=same site=] with |topLevelSite2|, return false.

From c5cb2d1261f56df7b010adc4303ea57bb6691a2c Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Tue, 22 Nov 2022 10:49:33 +0000
Subject: [PATCH 03/10] Forgot another reference

---
 storage-access.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/storage-access.bs b/storage-access.bs
index 8a4167d..8be2f03 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -237,7 +237,7 @@ To determine the storage access policy for [=parti
 1. Let |global| be |doc|'s [=relevant global object=].
 1. If |implicitly granted| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
 1. If |implicitly denied| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return |p|.
-1. Let |permissionState| be the result of [=requesting permission to use=] "storage-access".
+1. Let |permissionState| be the result of [=requesting permission to use=] "storage-access".
 1. If |permissionState| is "granted", [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
 1. Unset |flag set|'s [=has storage access flag=].
 1. If |doc|'s {{Window}} object has [=transient activation=], [=consume user activation=] with it.

From 47ddecf3740db8b51584105fbea40f6b9e88ac92 Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Wed, 23 Nov 2022 13:26:44 +0000
Subject: [PATCH 04/10] Define as algorithms on the feature instead

---
 storage-access.bs | 40 ++++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/storage-access.bs b/storage-access.bs
index 8be2f03..02ac687 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -284,27 +284,35 @@ To the [=parse a sandboxing directive=] algorithm, add the following under step
 
 
    Permissions Integration
    
 
-The Storage Access API defines a [=powerful feature=] identified by the [=powerful feature/name=] "storage-access".
+The Storage Access API defines a [=powerful feature=] identified by the [=powerful feature/name=] "storage-access". It defines the following permission-related algorithms:
 
-
    Changes to generate a permission store key
    
+
    
+  
    [=powerful feature/permission query algorithm=]
    
+  
    
+    To query the "storage-access" permission, given a {{PermissionDescriptor}} |permissionDesc| and a {{PermissionStatus}} |status|, run the following steps:
 
-Update the generate a permission store key algorithm to take the [=powerful feature/name=] |name|. Prepend the following steps to it:
+    1. Set |status|'s {{PermissionStatus/state}} to |permissionDesc|'s [=permission state=].
+    1. If |status|'s {{PermissionStatus/state}} is [=permission/denied=], set |status|'s {{PermissionStatus/state}} to [=permission/prompt=].
 
-1. If |name| is "storage-access", run the following steps:
-    1. Let |topLevelOrigin| be |settings|' [=top-level origin=].
-    1. Let |embeddedOrigin| be |settings|' [=environment settings object/origin=].
-    1. Return (|topLevelOrigin|, |embeddedOrigin|).
-
-
    Changes to compare permission store keys
    
+        Note: The "denied" permission state is not revealed to avoid exposing the user's decision to developers. This is done to prevent retaliation against the user and repeated prompting to the detriment of the user experience.
+  
    
+  
    [=powerful feature/permission key generation algorithm]
    
+  
    
+    To generate a new [=permission store key] for the "storage-access" feature, given an [=environment settings object=] |settings|, run the following steps:
 
-Update the compare permission store keys algorithm to take the [=powerful feature/name=] |name|. Prepend the following steps to it:
-
-1. If |name| is "storage-access", run the following steps:
-    1. Let |topLevelSite1| be the result of [=obtaining a site=] from |key1|'s permission store key/top-level origin.
-    1. Let |topLevelSite2| be the result of [=obtaining a site=] from |key2|'s permission store key/top-level origin.
-    1. If |topLevelSite1| is not [=same site=] with |topLevelSite2|, return false.
-    1. If |key1|'s permission store key/granted origin is not [=same origin=] with |key2|'s permission store key/granted origin, return false.
+    1. Let |topLevelSite| be |settings|' [=top-level site=].
+    1. Let |embeddedOrigin| be |settings|' [=environment settings object/origin=].
+    1. Return (|topLevelSite|, |embeddedOrigin|).
+  
    
+  
    [=powerful feature/permission key comparison algorithm]
    
+  
    
+    To compare the [=permission keys] |key1| and |key2| for the "storage-access" feature, run the following steps:
+
+    1. If |key1|[0] is not [=same site=] with |key2|[0], return false.
+    1. If |key1|[1] is not [=same origin=] with |key2|[1], return false.
     1. Return true.
+  
    
+
    
 
 
    Permissions Policy Integration
    
 

From 3d7532adccfdf5a7493ddc72912feb30ab1e9425 Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Fri, 2 Dec 2022 19:43:02 +0000
Subject: [PATCH 05/10] Add permission key type

---
 storage-access.bs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/storage-access.bs b/storage-access.bs
index 02ac687..ffd78f7 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -296,9 +296,13 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
 
         Note: The "denied" permission state is not revealed to avoid exposing the user's decision to developers. This is done to prevent retaliation against the user and repeated prompting to the detriment of the user experience.
   
+  
    [=powerful feature/permission key type]
    
+  
    
+    A [=permission key] of the "storage-access" feature has the type ([=site=], [=/origin=]).
+  
    
   
    [=powerful feature/permission key generation algorithm]
    
   
    
-    To generate a new [=permission store key] for the "storage-access" feature, given an [=environment settings object=] |settings|, run the following steps:
+    To generate a new [=permission key] for the "storage-access" feature, given an [=environment settings object=] |settings|, run the following steps:
 
     1. Let |topLevelSite| be |settings|' [=top-level site=].
     1. Let |embeddedOrigin| be |settings|' [=environment settings object/origin=].

From eba448281e3d13c90419faf131a3579359e358a3 Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Mon, 12 Dec 2022 11:38:27 +0000
Subject: [PATCH 06/10] Updates for latest permission spec

---
 storage-access.bs | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/storage-access.bs b/storage-access.bs
index ffd78f7..3f7e62a 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -34,6 +34,8 @@ urlPrefix: https://fetch.spec.whatwg.org/; spec: Fetch
 spec: RFC6265; urlPrefix: https://tools.ietf.org/html/rfc6265
     type: dfn
         text: cookie store; url: section-5.3
+urlPrefix: https://w3c.github.io/permissions/; spec: permissions
+    text: permissions task source; url: #permissions-task-source; type: dfn
 urlPrefix: https://w3c.github.io/webdriver/webdriver-spec.html#; spec: webdriver
     type: dfn
         text: current browsing context; url: dfn-current-browsing-context
@@ -211,7 +213,7 @@ When invoked on {{Document}} |doc|, the re
 1. Otherwise, run these steps [=in parallel=]:
     1. Let |hasAccess| be [=a new promise=].
     1. [=Determine the storage access policy=] with |key|, |doc| and |hasAccess|.
-    1. [=Queue a global task=] on the [=permission task source=] given |global| to
+    1. [=Queue a global task=] on the [=permissions task source=] given |global| to
         1. Set |flag set|'s [=has storage access flag=].
         1. Resolve or reject |p| based on the result of |hasAccess|.
 1. Return |p|.
@@ -235,13 +237,13 @@ To determine the storage access policy for [=parti
 1. Let |flag set| be the result of [=obtain a storage access flag set|obtaining the storage access flag set=] with |key| from |map|.
 1. Let |implicitly granted| and |implicitly denied| (each a [=boolean=]) be the result of running an [=implementation-defined=] set of steps to determine if |key|'s [=partitioned storage key/embedded origin=]'s request for storage access on |key|'s [=partitioned storage key/top-level site=] should be granted or denied without prompting the user.
 1. Let |global| be |doc|'s [=relevant global object=].
-1. If |implicitly granted| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
-1. If |implicitly denied| is true, [=queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return |p|.
+1. If |implicitly granted| is true, [=queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p|, and return.
+1. If |implicitly denied| is true, [=queue a global task=] on the [=permissions task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return |p|.
 1. Let |permissionState| be the result of [=requesting permission to use=] "storage-access".
-1. If |permissionState| is "granted", [=queue a global task=] on the [=permission task source=] given |global| to [=/resolve=] |p|, and return.
+1. If |permissionState| is "granted", [=queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p|, and return.
 1. Unset |flag set|'s [=has storage access flag=].
 1. If |doc|'s {{Window}} object has [=transient activation=], [=consume user activation=] with it.
-1. [=Queue a global task=] on the [=permission task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}.
+1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}.
 
 
 
@@ -296,21 +298,21 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
 
         Note: The "denied" permission state is not revealed to avoid exposing the user's decision to developers. This is done to prevent retaliation against the user and repeated prompting to the detriment of the user experience.
   
    
-  
    [=powerful feature/permission key type]
    
+  
    [=powerful feature/permission key type=]
    
   
    
-    A [=permission key] of the "storage-access" feature has the type ([=site=], [=/origin=]).
+    A [=permission key=] of the "storage-access" feature has the type ([=site=], [=/origin=]).
   
    
-  
    [=powerful feature/permission key generation algorithm]
    
+  
    [=powerful feature/permission key generation algorithm=]
    
   
    
-    To generate a new [=permission key] for the "storage-access" feature, given an [=environment settings object=] |settings|, run the following steps:
+    To generate a new [=permission key=] for the "storage-access" feature, given an [=environment settings object=] |settings|, run the following steps:
 
     1. Let |topLevelSite| be |settings|' [=top-level site=].
     1. Let |embeddedOrigin| be |settings|' [=environment settings object/origin=].
     1. Return (|topLevelSite|, |embeddedOrigin|).
   
    
-  
    [=powerful feature/permission key comparison algorithm]
    
+  
    [=powerful feature/permission key comparison algorithm=]
    
   
    
-    To compare the [=permission keys] |key1| and |key2| for the "storage-access" feature, run the following steps:
+    To compare the [=permission keys=] |key1| and |key2| for the "storage-access" feature, run the following steps:
 
     1. If |key1|[0] is not [=same site=] with |key2|[0], return false.
     1. If |key1|[1] is not [=same origin=] with |key2|[1], return false.

From 258d2cffa8dbd6db6ac34ac2b594b38c27fa2348 Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Wed, 14 Dec 2022 14:01:37 +0100
Subject: [PATCH 07/10] Update storage-access.bs

Co-authored-by: Anne van Kesteren 
---
 storage-access.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/storage-access.bs b/storage-access.bs
index 3f7e62a..a888761 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -291,7 +291,7 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
 
    
   
    [=powerful feature/permission query algorithm=]
    
   
    
-    To query the "storage-access" permission, given a {{PermissionDescriptor}} |permissionDesc| and a {{PermissionStatus}} |status|, run the following steps:
+    To query the "storage-access" permission, given a {{PermissionDescriptor}} |permissionDesc| and a {{PermissionStatus}} |status|:
 
     1. Set |status|'s {{PermissionStatus/state}} to |permissionDesc|'s [=permission state=].
     1. If |status|'s {{PermissionStatus/state}} is [=permission/denied=], set |status|'s {{PermissionStatus/state}} to [=permission/prompt=].

From 499f2448e123e134a5ff9419e2ea78f3db4addcf Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Wed, 14 Dec 2022 14:00:42 +0000
Subject: [PATCH 08/10] Address review feedback

---
 storage-access.bs | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/storage-access.bs b/storage-access.bs
index a888761..9a4a2f7 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -183,7 +183,7 @@ When invoked on {{Document}} |doc|, the ha
 1. If |doc|'s [=Document/origin=] is [=same origin=] with the [=top-level origin=] of |doc|'s [=relevant settings object=], [=/resolve=] |p| with true and return |p|.
 1. Let |key| be the result of [=generate a partitioned storage key|generating a partitioned storage key=] from |doc|.
 1. If |key| is failure, [=resolve=] |p| with false and return |p|.
-1. [=Resolve=] or [=reject=] |p| based on the result of running [=determine if a site has storage access=] with |key| and |doc|.
+1. [=Resolve=] |p| with the result of running [=determine if a site has storage access=] with |key| and |doc|.
 1. Return |p|.
 
 ISSUE: Shouldn't step 8 be [=same site=]?
@@ -215,9 +215,12 @@ When invoked on {{Document}} |doc|, the re
     1. [=Determine the storage access policy=] with |key|, |doc| and |hasAccess|.
     1. [=Queue a global task=] on the [=permissions task source=] given |global| to
         1. Set |flag set|'s [=has storage access flag=].
-        1. Resolve or reject |p| based on the result of |hasAccess|.
+        1. If |hasAccess| is true, resolve |p|.
+        1. Reject |p| with a "{{NotAllowedError}}" {{DOMException}}.
 1. Return |p|.
 
+ISSUE(privacycg/storage-access#144): We shouldn't use the permissions task source here.
+
 ISSUE: Shouldn't step 9 be [=same site=]?
 
 
    User Agent storage access policies
    
@@ -238,7 +241,7 @@ To determine the storage access policy for [=parti
 1. Let |implicitly granted| and |implicitly denied| (each a [=boolean=]) be the result of running an [=implementation-defined=] set of steps to determine if |key|'s [=partitioned storage key/embedded origin=]'s request for storage access on |key|'s [=partitioned storage key/top-level site=] should be granted or denied without prompting the user.
 1. Let |global| be |doc|'s [=relevant global object=].
 1. If |implicitly granted| is true, [=queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p|, and return.
-1. If |implicitly denied| is true, [=queue a global task=] on the [=permissions task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return |p|.
+1. If |implicitly denied| is true, [=queue a global task=] on the [=permissions task source=] given |global| to [=/reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return.
 1. Let |permissionState| be the result of [=requesting permission to use=] "storage-access".
 1. If |permissionState| is "granted", [=queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p|, and return.
 1. Unset |flag set|'s [=has storage access flag=].
@@ -300,7 +303,7 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
   
    
   
    [=powerful feature/permission key type=]
    
   
    
-    A [=permission key=] of the "storage-access" feature has the type ([=site=], [=/origin=]).
+    A [=permission key=] of the "storage-access" feature is a [=tuple=] consisting of a [=site=] key site and an [=/origin=] key origin.
   
    
   
    [=powerful feature/permission key generation algorithm=]
    
   
    
@@ -314,8 +317,8 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
   
    
     To compare the [=permission keys=] |key1| and |key2| for the "storage-access" feature, run the following steps:
 
-    1. If |key1|[0] is not [=same site=] with |key2|[0], return false.
-    1. If |key1|[1] is not [=same origin=] with |key2|[1], return false.
+    1. If |key1|'s [=permission key/key site=] is not [=same site=] with |key2|'s [=permission key/key site=], return false.
+    1. If |key1|'s [=permission key/key origin=] is not [=same origin=] with |key2|'s [=permission key/key origin=], return false.
     1. Return true.
   
    
 
    

From 2411f8d8f506f25da3f9c83002d2e93eef4b7f2d Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Thu, 15 Dec 2022 09:23:09 +0000
Subject: [PATCH 09/10] Compat for hSA, add note about (site,site)

---
 storage-access.bs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/storage-access.bs b/storage-access.bs
index 9a4a2f7..e5a8ab7 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -183,7 +183,8 @@ When invoked on {{Document}} |doc|, the ha
 1. If |doc|'s [=Document/origin=] is [=same origin=] with the [=top-level origin=] of |doc|'s [=relevant settings object=], [=/resolve=] |p| with true and return |p|.
 1. Let |key| be the result of [=generate a partitioned storage key|generating a partitioned storage key=] from |doc|.
 1. If |key| is failure, [=resolve=] |p| with false and return |p|.
-1. [=Resolve=] |p| with the result of running [=determine if a site has storage access=] with |key| and |doc|.
+1. Let |hasAccess| be the result of running [=determine if a site has storage access=] with |key| and |doc|.
+1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=/resolve=] |p| with |hasAccess|.
 1. Return |p|.
 
 ISSUE: Shouldn't step 8 be [=same site=]?
@@ -304,6 +305,8 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
   
    [=powerful feature/permission key type=]
    
   
    
     A [=permission key=] of the "storage-access" feature is a [=tuple=] consisting of a [=site=] key site and an [=/origin=] key origin.
+
+    ISSUE(privacycg/storage-access#147): Note that this will likely change to a (site, site) keying.
   
    
   
    [=powerful feature/permission key generation algorithm=]
    
   
    

From 6a6a93a68f1119a324ddedd978a6bbb1277d4a9b Mon Sep 17 00:00:00 2001
From: Johann Hofmann 
Date: Thu, 5 Jan 2023 12:36:27 +0000
Subject: [PATCH 10/10] Rebase, rename variables

---
 storage-access.bs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/storage-access.bs b/storage-access.bs
index e5a8ab7..ffa9102 100644
--- a/storage-access.bs
+++ b/storage-access.bs
@@ -304,7 +304,7 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
   
    
   
    [=powerful feature/permission key type=]
    
   
    
-    A [=permission key=] of the "storage-access" feature is a [=tuple=] consisting of a [=site=] key site and an [=/origin=] key origin.
+    A [=permission key=] of the "storage-access" feature is a [=tuple=] consisting of a [=site=] top-level and an [=/origin=] requester.
 
     ISSUE(privacycg/storage-access#147): Note that this will likely change to a (site, site) keying.
   
    
@@ -320,8 +320,8 @@ The Storage Access API defines a [=powerful feature=] identified by the [=powerf
   
    
     To compare the [=permission keys=] |key1| and |key2| for the "storage-access" feature, run the following steps:
 
-    1. If |key1|'s [=permission key/key site=] is not [=same site=] with |key2|'s [=permission key/key site=], return false.
-    1. If |key1|'s [=permission key/key origin=] is not [=same origin=] with |key2|'s [=permission key/key origin=], return false.
+    1. If |key1|'s [=permission key/top-level=] is not [=same site=] with |key2|'s [=permission key/top-level=], return false.
+    1. If |key1|'s [=permission key/requester=] is not [=same origin=] with |key2|'s [=permission key/requester=], return false.
     1. Return true.