Sec-Fetch-Storage-Access header

The HTTPSec-Fetch-Storage-Accessfetch metadata request header provides the "storage access status" for the current fetch context.

The status can indicate that permission to accessunpartitioned third-party cookies:

Is not granted.
Has been granted but not activated for the current request context.
Has been granted for the current request content, and the cookies have been sent with the request.

Supporting browsers must include this header on cross-site requests when the request credential mode isinclude.The header should not be sent with same-site requests (since those requests cannot involve cross-site cookies), or if the request'scredentials mode is "omit".The requested resource must also have apotentially trustworthy origin.

If a storage access permission has been granted but not activated, a server can respond withActivate-Storage-Access to request activation of the permission for the context.For more information seeStorage access headers in theStorage Access API overview.

Header type	Fetch Metadata Request Header
Forbidden request header	Yes (`Sec-` prefix)
CORS-safelisted request header	No

Syntax

http

Sec-Fetch-Storage-Access: noneSec-Fetch-Storage-Access: inactiveSec-Fetch-Storage-Access: active

Directives

A value indicating the storage access status for the current fetch context.The following values are allowed (servers should ignore other values):

none: The context does not have thestorage-access permission or access to unpartitioned cookies.
inactive: The context has thestorage-access permission, but has not opted into using it (and does not have unpartitioned cookie access through other means).If this value is set, then theOrigin request header should also be set.
active: The context has unpartitioned cookie access.If this value is set, then theOrigin request header should also be set.