Following a successful origin trial, Chrome 131 is now using FedCM as a trust signal for the Storage Access API.
The Storage Access API (SAA) enables cross-origin iframes to request storage access permissions when access would otherwise be denied by browser settings.
Some websites may use both FedCM for authentication, and SAA to allow
cross-origin iframes to access required storage. For example, if idp.example
is embedded on rp.example, and idp.example needs storage access to its own
top-level cookie to show personalized content.
In this scenario, the user needs to approve two different prompts: one for authentication and another to grant cookie access, as SAA would trigger a permission prompt. FedCM simplifies the Storage Access API process by acting as a trust signal. Once the user logs in with FedCM, the IdP-initiated storage access requests are automatically granted, eliminating the need for additional SAA prompts.
// In top-level rp.example:
// Ensure FedCM permission has been granted.
const cred = await navigator.credentials.get({
identity: {
providers: [{
configURL: 'https://idp.example/fedcm.json',
clientId: '123',
}],
}
});
// In an embedded IdP iframe:
// Returns `true` if the user already has access to cookies, and `false` if
// the user doesn't have access yet and needs to request it.
const hasAccess = await document.hasStorageAccess()
if(!hasAccess){
// No user gesture is needed to approve storage access, and the call will be auto-granted.
document.requestStorageAccess().then(e=>{
//access cookies
})
} else{
//the iframe already has access to third-party cookies
}
Origin trial participants have provided positive feedback, highlighting the improved user experience enabled by a context-specific FedCM prompt over generic Storage Access API prompts.
Learn more about using FedCM to auto-grant storage access in the Storage Access API documentation.
Engage and provide feedback
File an issue to share feedback or report problems. We'll keep the FedCM developer guide up to date, along with the accumulated update logs page.