From e125112aa403843fc57e595145484bf14029c965 Mon Sep 17 00:00:00 2001
From: Chris Fredrickson <cfredric@google.com>
Date: Wed, 12 Apr 2023 13:53:38 -0400
Subject: [PATCH 1/2] Remove modification of `document.requestStorageAccess`
 algorithm

---
 index.bs | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/index.bs b/index.bs
index 9a19ed1..a2ae26a 100644
--- a/index.bs
+++ b/index.bs
@@ -127,7 +127,7 @@ When invoked on {{Document}} |doc| with {{USVString}} |requestedOrigin|, the <df
         1. Return.
     1. Let |permissionState| be the result of [=requesting permission to use=] "<a permission><code>top-level-storage-access</code></a>" with |descriptor|.
 
-        NOTE: Note that when requesting permissions and deciding whether to show a prompt, user agents apply implementation-defined behavior to shape the end user experience. Particularly for `top-level-storage-access`, user agents are known to apply custom rules that will grant or deny a permission without showing a prompt.
+        NOTE: Note that when requesting permissions and deciding whether to show a prompt, user agents apply implementation-defined behavior to shape the end user experience. Particularly for `top-level-storage-access`, user agents are known to apply custom rules that will grant or deny a permission without showing a prompt. User agents may also treat the `top-level-storage-access` permission as a "superset" of other permissions, and may grant those other permissions when `top-level-storage-access` permission is granted.
 
     1. If |permissionState| is [=permission/granted=]:
         1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=resolve=] |p|.
@@ -229,18 +229,9 @@ In [=http network or cache fetch=], when determining whether to block cookies, r
 <h2 id="storage-access-api-integration">Storage Access API Integration</h2>
 
 Note: even after a successful {{Document/requestStorageAccessFor(requestedOrigin)}} call, frames have to explicitly invoke {{Document/requestStorageAccess()}} for cookie access.
-This modification allows {{Document/requestStorageAccessFor(requestedOrigin)}} to allow resolution of {{Document/requestStorageAccess()}} calls similarly to a prior successful {{Document/requestStorageAccess()}} grant.
 
-<div algorithm='storage-access-policy-modification'>
-Modify {{Document/requestStorageAccess()}} to insert the following steps before step 13.4 (i.e. before checking transient activation):
+As noted above, user agents may choose to grant the corresponding `storage-access` permission when granting `top-level-storage-access` permission.
 
-1. Let |settings| be <var ignore>doc</var>'s [=relevant settings object=].
-1. Let |origin| be |settings|' [=environment settings object/origin=].
-1. Let |descriptor| be a newly created {{TopLevelStorageAccessPermissionDescriptor}} with {{PermissionDescriptor/name}} set to "<a permission><code>top-level-storage-access</code></a>" and with {{TopLevelStorageAccessPermissionDescriptor/requestedOrigin}} set to |origin|.
-1. If |descriptor|'s [=permission state=] is [=permission/granted=], [=queue a global task=] on the [=permissions task source=] given |global| to [=resolve=] |p|, and return.
-1. If |descriptor|'s [=permission state=] is [=permission/denied=], [=queue a global task=] on the [=permissions task source=] given |global| to [=reject=] |p| with a "{{NotAllowedError}}" {{DOMException}}, and return.
-
-</div>
 
 <h2 id="privacy">Privacy considerations</h2>
 

From 54d5d1bfa075cbd9a0694ab94a5cc719336bd7ce Mon Sep 17 00:00:00 2001
From: Chris Fredrickson <cfredric@google.com>
Date: Wed, 19 Apr 2023 17:31:23 -0400
Subject: [PATCH 2/2] Swap "may" note for proper permissions integration

---
 index.bs | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index a2ae26a..997a649 100644
--- a/index.bs
+++ b/index.bs
@@ -127,7 +127,7 @@ When invoked on {{Document}} |doc| with {{USVString}} |requestedOrigin|, the <df
         1. Return.
     1. Let |permissionState| be the result of [=requesting permission to use=] "<a permission><code>top-level-storage-access</code></a>" with |descriptor|.
 
-        NOTE: Note that when requesting permissions and deciding whether to show a prompt, user agents apply implementation-defined behavior to shape the end user experience. Particularly for `top-level-storage-access`, user agents are known to apply custom rules that will grant or deny a permission without showing a prompt. User agents may also treat the `top-level-storage-access` permission as a "superset" of other permissions, and may grant those other permissions when `top-level-storage-access` permission is granted.
+        NOTE: Note that when requesting permissions and deciding whether to show a prompt, user agents apply implementation-defined behavior to shape the end user experience. Particularly for `top-level-storage-access`, user agents are known to apply custom rules that will grant or deny a permission without showing a prompt.
 
     1. If |permissionState| is [=permission/granted=]:
         1. [=Queue a global task=] on the [=permissions task source=] given |global| to [=resolve=] |p|.
@@ -154,9 +154,30 @@ To <dfn>determine if a request has top-level storage access</dfn> with [=request
 
 </div>
 
+<h2 id="changes-to-permissions">Changes to Permissions</h2>
+
+In [=specifies a powerful feature|specifying a powerful feature=], add the following algorithm:
+
+<dl>
+  <dt>
+    A <dfn data-dfn-for="powerful feature" class="export">permission granted algorithm</dfn>:
+  </dt>
+  <dd>
+    Takes a [=permission key=]. Updates any other parts of the implementation that need to be kept in sync with changes in the results of [=permission states=] or [=extra permission data=].
+
+    If unspecified, this defaults to be a no-op.
+  </dd>
+</dl>
+
+When [=requesting permission to use=] "<a permission><code>top-level-storage-access</code></a>", replace step 6 ("Queue a task...") with the following steps:
+
+1. [=Queue a task=] on the [=current settings object=]'s [=responsible event loop=] to run the following steps:
+    1. [=Set a permission store entry=] with <var ignore>descriptor</var>, <var ignore>key</var>, and |current state|.
+    1. If |current state| is "[=permission/granted=]", run the [=permission granted algorithm=].
+
 <h2 id="permissions-integration">Permissions Integration</h2>
 
-The requestStorageAccessFor API defines a [=powerful feature=] identified by the [=powerful feature/name=] "<dfn export permission><code>top-level-storage-access</code></dfn>". It defines the following permission-related algorithms:
+The requestStorageAccessFor API defines a [=powerful feature=] identified by the [=powerful feature/name=] "<dfn permission><code>top-level-storage-access</code></dfn>". It defines the following permission-related algorithms:
 
 <dl>
   <dt>{{PermissionDescriptor}}</dt>
@@ -206,6 +227,17 @@ The requestStorageAccessFor API defines a [=powerful feature=] identified by the
     1. If |key1| is null or |key2| is null, return false.
     1. Return |key1| is [=same site=] with |key2|.
 
+    </div>
+  </dd>
+  <dt>[=powerful feature/permission granted algorithm=]</dt>
+  <dd>
+    <div algorithm='top-level-storage-access-granted-algorithm'>
+    When permission to use the "<a permission><code>top-level-storage-access</code></a>" feature has been granted for [=permission key=] |key|, run the following steps:
+    1. If |key| is null, return.
+    1. Let |descriptor| be a {{PermissionDescriptor}} with name "<a permission><code>storage-access</code></a>".
+    1. [=Set a permission store entry=] with |descriptor|, |key|, and "[=permission/granted=]".
+    1. Run the [=permission granted algorithm=] for the "<a permission><code>storage-access</code></a>" feature.
+
     </div>
   </dd>
 </dl>