There are use cases where user interaction within an <iframe> is difficult to retrofit. Since the top-level document controls loading of subresources, it may be attractive to allow top-level sites to request storage access on behalf of embedded sites. There is a discussion in a similar vein in issues #53 and #83 as well.

Both Firefox and Safari have run into these issues before and solved them through the application of an internal-only "requestStorageAccessForOrigin" API(1,2), which is applied on a case-by-case basis by custom browser scripts (Safari: 3,4 Firefox: 5,6,7).

Exposing such an API would require elevated trust to prevent abuse and potential security issues; membership in the same First-Party Set is one possible trust signal, which Chrome is evaluating as a replacement for the SameParty cookie attribute.

See the relevant explainer for more context.

This issue is intended to track discussion about a potential requestStorageAccessFor function.