spec.bs

<pre class='metadata'>
Title: Shared Storage API
Shortname: sharedStorage
Level: 1
Status: CG-DRAFT
Group: WICG
Repository: WICG/shared-storage
URL: https://github.com/WICG/shared-storage
Editor: Camillia Smith Barnes, Google https://google.com, cammie@chromium.org
Markup Shorthands: markdown yes
Abstract: Shared Storage is a storage API that is intentionally not partitioned by top-level traversable site (though still partitioned by context origin of course!). To limit cross-site reidentification of users, data in Shared Storage may only be read in a restricted environment that has carefully constructed output gates.
</pre>

<pre class=link-defaults>
spec:infra;
    type:dfn;
        text:user agent
        for:/; text:string
    type:dfn;
        for:/; text:list
spec:webidl;
    type:interface;
        text:double
    type:dfn;
        text:an exception was thrown
spec:html;
    type:dfn;
        for:realm; text:global object
        for:WorkerGlobalScope; text:module map
        for:navigable; text:top-level traversable
spec:fenced-frame;
    type:dfn;
        for:fencedframetype; text:fenced frame reporter
        for:browsing context; text:fenced frame config instance
</pre>

<pre class="anchors">
urlPrefix: https://www.ietf.org/rfc/rfc4122.txt
    type: dfn; text: urn uuid
spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
    type: dfn
        text: worklets; url: worklets.html#worklets
        text: added modules list; url: worklets.html#concept-worklet-added-modules-list
        text: set up a worklet environment settings object; url: worklets.html#set-up-a-worklet-environment-settings-object
        text: fetch a worklet/module worker script graph; url: webappapis.html#fetch-a-worklet/module-worker-script-graph
        text: fetch a worklet script graph; url: webappapis.html#fetch-a-worklet-script-graph
        text: processCustomFetchResponse; url: webappapis.html#fetching-scripts-processcustomfetchresponse
        text: environment; url: webappapis.html#environment
        text: worklet event loop; url: webappapis.html#worklet-event-loop
        text: obtaining a worklet agent; url: webappapis.html#obtain-a-worklet-agent
        text: beginning navigation; url: webappapis.html#beginning-navigation
        text: ending navigation; url: webappapis.html#ending-navigation
        text: get the top-level traversable; url: webappapis.html#nav-top
        text: boolean attributes; url: common-microsyntaxes.html#boolean-attributes
        text: content attributes; url: dom.html#concept-element-attributes
        text: update the image data; url: images.html#update-the-image-data
        text: create navigation params by fetching; url: browsing-the-web.html#create-navigation-params-by-fetchin
        text: serialization; for: origin; url: browsers.html#ascii-serialisation-of-an-origin
        text: initialize the navigable; url: document-sequences.html#initialize-the-navigable
spec: url; urlPrefix: https://url.spec.whatwg.org/
    type: dfn
        text: URL; for: /; url: concept-url
spec: dom; urlPrefix: https://dom.spec.whatwg.org/
    type: dfn
        text: origin; for: document; url: concept-document-origin
spec: infra; urlPrefix: https://infra.spec.whatwg.org
    type: dfn
        text: empty; for: map; url: map-is-empty
        text: ASCII; url: ascii-code-point
spec: webidl; urlPrefix: https://webidl.spec.whatwg.org
    type: dfn
        text: Web IDL Standard; url: introduction
        text: async iterator; url: idl-async-iterable
        text: promise; url: idl-promise
        text: promise rejected; url: a-promise-rejected-with
        text: promise resolved; url: a-promise-resolved-with
spec: storage; urlPrefix: https://storage.spec.whatwg.org/
    type: dfn
        text: storage model; url: model
        text: storage type; url: storage-type
        text: storage identifier; url: storage-identifier
        text: storage shed; url: storage-shed
        text: storage shelf; url: storage-shelf
        text: storage bucket; url: storage-bucket
        text: storage bottle; url: storage-bottle
        text: quota; for: storage bottle; url: storage-bottle-quota
        text: register; for: storage endpoint; url: registered-storage-endpoints
        text: quota; for: storage endpoint; url: storage-endpoint-quota
        text: bucket map; url: bucket-map
        text: bottle map; url: bottle-map
        text: storage proxy map; url: storage-proxy-map
        text: backing map; url: storage-proxy-map-backing-map
        text: proxy map reference set; url: storage-bottle-proxy-map-reference-set
spec: beacon; urlPrefix: https://w3c.github.io/beacon/
    type: dfn
        text: beacon; url: beacon
spec: ecma; urlPrefix: https://tc39.es/ecma262/
    type: dfn
        text: call; url: sec-call
        text: current realm; url: current-realm
        text: casting; url: sec-touint32
        text: Get; url: sec-get-o-p
        text: [[GetPrototypeOf]](); for: object; url: sec-ordinary-object-internal-methods-and-internal-slots-getprototypeof
        text: IsConstructor(); url: sec-isconstructor
spec: storage-partitioning; urlPrefix: https://privacycg.github.io/storage-partitioning/
    type: dfn
        text: client-side storage partitioning
spec: fetch; urlPrefix: https://fetch.spec.whatwg.org/
    type: dfn
        text: http network or cache fetch; url: concept-http-network-or-cache-fetch
        text: request-constructor; url: dom-request
spec: permissions-policy; urlPrefix: https://www.w3.org/TR/permissions-policy/
    type: dfn
        text: Is feature enabled in document for origin?; url: algo-is-feature-enabled
spec: attestation; urlPrefix: https://github.com/privacysandbox/attestation
    type: dfn
        text: enrolled
spec: private-aggregation-api; urlPrefix: https://patcg-individual-drafts.github.io/private-aggregation-api/
    type: dfn
        text: Private Aggregation; url:
        text: get the privateAggregation
        text: determine if an origin is an aggregation coordinator
        text: pre-specified report parameters
        for: pre-specified report parameters
            text: context ID
            text: filtering ID max bytes
        text: batching scope
        text: debug scope
        text: process contributions for a batching scope
        text: set the aggregation coordinator for a batching scope
        text: determine if a report should be sent deterministically
        text: mark a debug scope complete
        text: set the pre-specified report parameters for a batching scope
        text: aggregation coordinator
        text: default filtering id max bytes
        text: valid filtering id max bytes range
        text: context id
        text: scoping details
        for: scoping details
            text: get batching scope steps
            text: get debug scope steps
        text: private-aggregation
        for: PrivateAggregation
            text: allowed to use
            text: scoping details; url: #privateaggregation-scoping-details
    type: interface
        text: PrivateAggregation
spec: protected-audience; urlPrefix: https://wicg.github.io/turtledove/
    type: dfn
        text: get storage interest groups for owner
    type: interface
        text: StorageInterestGroup; url: dictdef-storageinterestgroup
spec: fenced-frame; urlPrefix: https://wicg.github.io/fenced-frame/
    type: dfn
        text: fenced frame; url: the-fencedframe-element
        text: url; for: FencedFrameConfig; url: dom-fencedframeconfig-url
        text: fence.reportEvent(); url: dom-fence-reportevent
        text: FenceEvent; url: dictdef-fenceevent
        text: destination; for: FenceEvent; url: dom-fenceevent-destination
        text: eventData; for: FenceEvent; url: dom-fenceevent-eventdata
        text: eventType; for: FenceEvent; url: dom-fenceevent-eventtype
    type: interface
        text: FencedFrameConfig; url: fencedframeconfig
spec: rfc8941; urlPrefix: https://httpwg.org/specs/rfc8941.html
    type: dfn
        text: structured header; url: specify
        text: list; for: structured header; url: list
        text: parameters; for: structured header; url: param
        text: item; for: structured header; url: item
        text: string; for: structured header; url: string
        text: token; for: structured header; url: token
        text: byte sequence; for: structured header; url: binary
        text: boolean; for: structured header; url: boolean
        text: inner list; for: structured header; url: inner-list
        text: bare item; for: structured header; url: item
spec: wikipedia-entropy; urlPrefix: https://en.wikipedia.org/wiki/Entropy_(information_theory)
    type: dfn
        text: bits of entropy
        text: entropy bits
spec: shared-storage-explainer; urlPrefix: https://github.com/WICG/shared-storage
    type:dfn
        text: legitimate use cases; url: example-scenarios
spec: UUID; urlPrefix: https://www.ietf.org/rfc/rfc4122.txt
    type: dfn
        text: urn uuid; url: urn-uuid
spec: hr-time; urlPrefix: https://w3c.github.io/hr-time/
    type: dfn
        text: current wall time; url: dfn-current-wall-time
</pre>

<style>
/* adapted from .XXX at https://resources.whatwg.org/standard.css */
.todo {
  color: #D50606;
  background: white;
  border: solid #D50606;
}

span.todo {
  padding-top: 0;
  padding-bottom: 0;
}

.todo::before { content: 'TODO: '; }

span.todo::before {
  left: 0;
  top: -0.25em;
}
</style>

Introduction {#intro}
=====================
<em>This section is not normative.</em>

In order to prevent cross-site user tracking, browsers are partitioning all forms of storage by [=top-level traversable=] site; see [=Client-Side Storage Partitioning=]. But, there are many [=legitimate use cases=] currently relying on unpartitioned storage.

This document introduces a new storage API that is intentionally not partitioned by [=top-level traversable=] site (though still partitioned by context origin), in order to serve a number of the use cases needing unpartitioned storage. To limit cross-site reidentification of users, data in Shared Storage may only be read in a restricted environment, called a worklet, and any output from the worklet is in the form of a [=fenced frame=] or a [=Private Aggregation=] report. Over time, there may be additional ouput gates included in the standard.

<div class="example">
  `a.example` randomly assigns users to groups in a way that is consistent cross-site.

  Inside an `a.example` iframe:
  <pre class="lang-js">
    function generateSeed() { … }
    await window.sharedStorage.worklet.addModule('experiment.js');

    // Only write a cross-site seed to a.example's storage if there isn't one yet.
    window.sharedStorage.set('seed', generateSeed(), { ignoreIfPresent: true });

    let fencedFrameConfig = await window.sharedStorage.selectURL(
      'select-url-for-experiment',
      [
        {url: "blob:https://a.example/123…", reportingMetadata: {"click": "https://report.example/1..."}},
        {url: "blob:https://b.example/abc…", reportingMetadata: {"click": "https://report.example/a..."}},
        {url: "blob:https://c.example/789…"}
      ],
      { data: { name: 'experimentA' } }
    );

    // Assumes that the fenced frame 'my-fenced-frame' has already been attached.
    document.getElementById('my-fenced-frame').config = fencedFrameConfig;
  </pre>

  inside the `experiment.js` worklet script:
  <pre class="lang-js">
    class SelectURLOperation {
      hash(experimentName, seed) { … }

      async run(urls, data) {
        const seed = await this.sharedStorage.get('seed');
        return hash(data.name, seed) % urls.length;
      }
    }
    register('select-url-for-experiment', SelectURLOperation);
  </pre>
</div>

The {{SharedStorageWorklet}} Interface {#worklet}
=================================================
The {{SharedStorageWorklet}} object allows developers to supply [=module scripts=] to process [=Shared Storage=] data and then output the result through one or more of the output gates. Currently there are two output gates, the [=Private Aggregation=] output gate and the {{SharedStorageWorklet/selectURL()|URL-selection}} output gate.

<xmp class='idl'>
  typedef (USVString or FencedFrameConfig) SharedStorageResponse;
</xmp>

<xmp class='idl'>
  [Exposed=(Window)]
  interface SharedStorageWorklet : Worklet {
    Promise<SharedStorageResponse> selectURL(DOMString name,
                                 sequence<SharedStorageUrlWithMetadata> urls,
                                 optional SharedStorageRunOperationMethodOptions options = {});
    Promise<any> run(DOMString name,
                     optional SharedStorageRunOperationMethodOptions options = {});
  };
</xmp>

Each {{SharedStorageWorklet}} has an associated boolean <dfn for="SharedStorageWorklet">addModule initiated</dfn>, initialized to false.

Each {{SharedStorageWorklet}} has an associated {{USVString}} <dfn for="SharedStorageWorklet">data origin</dfn>, initialized to `"context-origin"`.

Each {{SharedStorageWorklet}} has an associated boolean <dfn for="SharedStorageWorklet">has cross-origin data origin</dfn>, initialized to false.

Because adding multiple [=module scripts=] via {{Worklet/addModule()}} for the same {{SharedStorageWorklet}} would give the caller the ability to store data from [=Shared Storage=] in global variables defined in the [=module scripts=] and then exfiltrate the data through later call(s) to {{Worklet/addModule()}}, each {{SharedStorageWorklet}} can only call {{Worklet/addModule()}} once. The [=addModule initiated=] boolean makes it possible to enforce this restriction.

When {{Worklet/addModule()}} is called for a worklet, it will run [=check if addModule is allowed and update state=], and if the result is "DisallowedDueToNonPreferenceError", or if the result is "DisallowedDueToPreferenceError" and the worklet's [=SharedStorageWorklet/has cross-origin data origin=] is false, it will cause {{Worklet/addModule()}} to fail, as detailed in the [[#add-module-monkey-patch]].

  <div algorithm>
    To <dfn>check if user preference setting allows access to shared storage</dfn> given an [=environment settings object=] |environment| and an [=/origin=] |origin|, run the following step:

    1. Using values available in |environment| and |origin| as needed, perform an [=implementation-defined=] algorithm to return either true or false.
  </div>

  <div algorithm>
    To <dfn>determine whether shared storage is allowed by context</dfn>, given an [=environment settings object=] |environment|, an [=/origin=] |origin|, and a boolean |allowedInOpaqueOriginContext|, run these steps:

    1. If |environment| is not a [=secure context=], then return false.
    1. If |allowedInOpaqueOriginContext| is false and |environment|'s [=environment settings object/origin=] is an [=opaque origin=], then return false.
    1. If |origin| is an [=opaque origin=], then return false.
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. [=Assert=]: |globalObject| is a {{Window}} or a {{SharedStorageWorkletGlobalScope}}.
    1. If |globalObject| is a {{Window}}, and if the result of running [=Is feature enabled in document for origin?=] on "[=PermissionsPolicy/shared-storage=]", |globalObject|'s [=associated document=], and |origin| returns false, then return false.
    1. If the result of running [=obtaining a site|obtain a site=] with |origin| is not [=enrolled=], then return false.
    1. Return true.
  </div>

  <div class="note">
    Here are the scenarios where the algorithms [=determine whether shared storage is allowed by context=] and [=check if user preference setting allows access to shared storage=] are used:

    - For creating a worklet, |environment| is the [=environment settings object=] associated with the {{Window}} that created the worklet, and |origin| is the module script url's [=url/origin=].
    - For running operations on a worklet (from a {{Window}}), |environment| is the [=environment settings object=] associated with the {{Window}} that created the worklet, and |origin| is the worklet's [=global scopes=][0]'s [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    - For [[#setter]], |environment| is either the current context (when called from a {{Window}}) or the [=environment settings object=] associated with the {{Window}} that created the worklet (when called from a {{SharedStorageWorkletGlobalScope}}), and |origin| is |environment|'s [=environment settings object/origin=].
    - For [[#ss-fetch-algo]], |environment| is the request's [=request/window=], and |origin| is the request's [=request/current URL=]'s [=url/origin=].
    - For [[#ss-fetch-algo]], for {{SharedStorage/createWorklet()}} called with a cross-origin worklet script using the <var ignore=''>dataOrigin</var> option with value `"script-origin"` (which would result in a worklet where [=SharedStorageWorklet/has cross-origin data origin=] is true), and for {{SharedStorageWorklet/selectURL()}} and {{SharedStorageWorklet/run()}} that operate on a worklet where [=SharedStorageWorklet/has cross-origin data origin=] is true, |allowedInOpaqueOriginContext| is true. For other methods, |allowedInOpaqueOriginContext| is false.
  </div>

  <div algorithm>
    To <dfn>check if addModule is allowed and update state</dfn> given a {{SharedStorageWorklet}} |worklet| and a [=/URL=] |moduleURLRecord|, run the following steps:
    1. If |worklet|'s [=addModule initiated=] is true, return "DisallowedDueToNonPreferenceError".
    1. Set |worklet|'s [=addModule initiated=] to true.
    1. Let |workletDataOrigin| be the [=current settings object=]'s [=environment settings object/origin=].
    1. If |worklet|'s [=SharedStorageWorklet/data origin=] is `"script-origin"`, set |workletDataOrigin| to |moduleURLRecord|'s [=url/origin=].
    1. Otherwise, if |worklet|'s [=SharedStorageWorklet/data origin=] is not `"context-origin"`:
        1. Let |customOriginUrl| be the result of running a [=URL parser=] on |worklet|'s [=SharedStorageWorklet/data origin=].
        1. If |customOriginUrl| is not a valid [=/URL=], return "DisallowedDueToNonPreferenceError".
        1. Set |workletDataOrigin| to |customOriginUrl|'s [=url/origin=].
    1. Let |hasCrossOriginDataOrigin| be false.
    1. If |workletDataOrigin| and the [=current settings object=]'s [=environment settings object/origin=] are not [=same origin=], then set |hasCrossOriginDataOrigin| to true.
    1. Let |allowedInOpaqueOriginContext| be |hasCrossOriginDataOrigin|.
    1. If the result of running [=determine whether shared storage is allowed by context=] given the [=current settings object=], |workletDataOrigin|, and |allowedInOpaqueOriginContext| is false, return "DisallowedDueToNonPreferenceError".
    1. Set |worklet|'s [=SharedStorageWorklet/has cross-origin data origin=] to |hasCrossOriginDataOrigin|.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given the [=current settings object=] and |workletDataOrigin| is false, return "DisallowedDueToPreferenceError".
    1. Return "Allowed".
  </div>

Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes=], initially empty, can contain at most one instance of its [=worklet global scope type=], the {{SharedStorageWorkletGlobalScope}}.

  ## Run Operation Methods on {{SharedStorageWorklet}} ## {#run-op-shared-storage-worklet}

  <div algorithm>
    To <dfn>get the select-url result index</dfn>, given {{SharedStorageWorklet}} |worklet|, {{DOMString}} |operationName|, [=/list=] of [=strings=] |urlList|, an [=/origin=] |workletDataOrigin|, a [=/navigable=] |navigable|, {{SharedStorageRunOperationMethodOptions}} |options|, a [=pre-specified report parameters=] or null |preSpecifiedParams| and an [=aggregation coordinator=] or null |aggregationCoordinator|, run the following steps. This algorithm will return a [=tuple=] consisting of a [=promise=] that resolves into an {{unsigned long}} whose value is the index of the URL selected from |urlList| and a [=/boolean=] indicating whether the [top-level traversable's budgets](#charge-top-trav-budgets) should be [=charge shared storage top-level traversable budgets|charged=].

    1. Let |promise| be a new [=promise=].
    1. Let |window| be |worklet|'s [=relevant settings object=].
    1. [=Assert=]: |window| is a {{Window}}.
    1. If |window|'s [=Window/browsing context=] is null, then return the [=tuple=] of a ([=promise rejected=] with a {{TypeError}}, true).
    1. If |window|'s [=associated document=] is not [=fully active=], return the [=tuple=] of a ([=promise rejected=] with a {{TypeError}}, true).
    1. [=Assert=]: |worklet|'s [=global scopes=]'s [=list/size=] is 1.
    1. Let |globalScope| be |worklet|'s [=global scopes=][0].
    1. Let |moduleMapKeyTuples| be the result of running [=map/get the keys=] on |globalScope|'s [=relevant settings object=]'s [=module map=].
    1. [=Assert=]: |moduleMapKeyTuples| has [=map/size=] 1.
    1. Let |moduleURLRecord| be |moduleMapKeyTuples|[0][0].
    1. Let |savedQueryName| be |options|["`savedQuery`"].
    1. If |savedQueryName| is a [=string=] that is not the empty string, then:
        1. Let |callbackTask| be the result of running [=obtain a callback to process the saved index result=], given |window|, |urlList|, and |promise|.
        1. Let |savedIndex| be the result of running [=get the index for a saved query=] on |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and |callbackTask|.
        1. If |savedIndex| is "pending callback", then return the [=tuple=] (|promise|, false).

            Note: |callbackTask| is now stored to be run when a previously obtained worklet agent completes its operation to select the index for this query. When the steps of |callbackTask| are run, |promise| will be resolved.
        1. If |savedIndex| is an {{unsigned long}}, then:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to run the steps of |callbackTask|, given |savedIndex|.

                Note: Running the steps of |callbackTask| will resolve |promise|.
            1. Return the [=tuple=] (|promise|, false).
        1. [=Assert=] that |savedIndex| is "pending current operation".
    1. [=Queue a task=] on |globalScope|'s [=worklet event loop=] to perform the following steps:
        1. Let |operationMap| be |globalScope|'s [=SharedStorageWorkletGlobalScope/operation map=].
        1. If |operationMap| does not [=map/contain=] |operationName|, then [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}, and abort these steps.

            Note: This could happen if {{SharedStorageWorkletGlobalScope/register()}} was never called with |operationName|.

        1. [=Assert=]: |operationMap|[|operationName|]'s [=associated realm=] is [=this=]'s [=relevant realm=].
        1. Let |operation| be |operationMap|[|operationName|], [=converted to an IDL value|converted=] to {{RunFunctionForSharedStorageSelectURLOperation}}.
        1. Let |privateAggregationCompletionTask| be the result of [=setting up the Private Aggregation scopes=] given |workletDataOrigin|, |preSpecifiedParams| and |aggregationCoordinator|.
        1. Let |argumentsList| be the [=/list=] « |urlList| ».
        1. If |options|["{{SharedStorageRunOperationMethodOptions/data}}"] [=map/exists=], [=list/append=] it to |argumentsList|.
        1. Let |indexPromise| be the result of [=invoking=] |operation| with |argumentsList|.
        1. [=promise/React=] to |indexPromise|:

            <dl class="switch">
                :   If it was fulfilled with value |index|:
                ::  1. If |index| is greater than |urlList|'s [=list/size=], then:
                        1. If |savedQueryName| is a [=string=] that is not the empty string, then run [=store the index for a saved query=] with |window|, |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and the [=default selectURL index=].
                        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}, and abort these steps.

                        Note: The result index is beyond the input urls' size. This violates the selectURL() protocol, and we don't know which url should be selected.

                        Otherwise:
                        1. If |savedQueryName| is a [=string=] that is not the empty string, then run [=store the index for a saved query=] with |window|, |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and |index|.
                        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=resolve=] |promise| with |index|.
                        1. Run |privateAggregationCompletionTask|.

                :   If it was rejected:
                ::  1. If |savedQueryName| is a [=string=] that is not the empty string, then run [=store the index for a saved query=] with |window|, |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and the [=default selectURL index=].
                    1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}.

                        Note: This indicates that either |operationCtor|'s run() method encounters an error (where |operationCtor| is the parameter in {{SharedStorageWorkletGlobalScope/register()}}), or the result |index| is a non-integer value, which violates the selectURL() protocol, and we don't know which url should be selected.
                    1. Run |privateAggregationCompletionTask|.
            </dl>
    1. Return the [=tuple=] (|promise|, true).
  </div>

  <div algorithm>
    To <dfn>handle the result of selecting an index</dfn>, given a {{SharedStorageWorklet}} |worklet|, an [=environment settings object=] |environment|, a {{Document}} |document|, a {{sequence}} of {{SharedStorageUrlWithMetadata}} |urls|, a [=list=] of [=strings=] |urlList|, a [=/navigable=] |navigable|, a {{SharedStorageRunOperationMethodOptions}} |options|, a [=traversable navigable/fenced frame config mapping=] |fencedFrameConfigMapping|, a [=urn uuid=] |urn|, a [=/boolean=] |shouldChargeTopLevelBudgets|, a [=/boolean=] |shouldUseDefaultIndex|, and an {{unsigned long}} |resultIndex|, perform the following steps:

    1. Let |site| be the result of running [=obtain a site=] with |document|'s [=Document/origin=].
    1. Let |remainingBudget| be the result of running [=determine remaining navigation budget=] with |environment| and |site|.
    1. Let |pendingBits| be the logarithm base 2 of |urlList|'s [=list/size=].
    1. If |shouldChargeTopLevelBudgets| is true:
        1. Let |pageBudgetResult| be the result of running [=charge shared storage top-level traversable budgets=] with |navigable|, |site|, and |pendingBits|.
        1. If |pageBudgetResult| is false, set |shouldUseDefaultIndex| to true.
    1. If |pendingBits| is greather than |remainingBudget|, set |shouldUseDefaultIndex| to true.
    1. If |shouldUseDefaultIndex| is true, set |resultIndex| to the [=default selectURL index=].
    1. Let |finalConfig| be a new [=fenced frame config=].
    1. Set |finalConfig|'s [=fenced frame config/mapped url=] to |urlList|[|resultIndex|].
    1. Set |finalConfig|'s <span class=todo>a "pending shared storage budget debit" field</span> to |pendingBits|.
    1. [=Finalize a pending config=] on |fencedFrameConfigMapping| with |urn| and |finalConfig|.
    1. Let |resultURLWithMetadata| be |urls|[|resultIndex|].
    1. If |resultURLWithMetadata| has field "`reportingMetadata`", run [=register reporting metadata=] with |resultURLWithMetadata|["`reportingMetadata`"].
    1. If |options|["`keepAlive`"] is false, run [=terminate a worklet global scope=] with |worklet|.

  </div>

  <div algorithm>
    The <dfn method for="SharedStorageWorklet">selectURL(|name|, |urls|, |options|)</dfn> method steps are:

    1. Let |resultPromise| be a new [=promise=].
    1. If [=this=]'s [=addModule initiated=] is false, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |window| be [=this=]'s [=relevant settings object=].
    1. [=Assert=]: |window| is a {{Window}}.
    1. Let |context| be |window|'s [=Window/browsing context=].
    1. If |context| is null, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |preSpecifiedParams| be the result of [=obtaining the pre-specified
        report parameters=] given |options| and |context|.
    1. If |preSpecifiedParams| is a {{DOMException}}, return [=a promise rejected
        with=] |preSpecifiedParams|.
    1. Let |aggregationCoordinator| be the result of [=obtaining the aggregation
        coordinator=] given |options|.
    1. If |aggregationCoordinator| is a {{DOMException}}, return [=a promise
        rejected with=] |aggregationCoordinator|.
    1. Let |document| be |context|'s [=active document=].
    1. If [=this=]'s [=global scopes=] is [=list/empty=], then return a [=promise rejected=] with a {{TypeError}}.

        Note: This can happen if {{SharedStorageWorklet/selectURL()}} is called before {{addModule()}}.
    1. [=Assert=]: [=this=]'s [=global scopes=]'s [=list/size=] is 1.
    1. Let |globalScope| be [=this=]'s [=global scopes=][0].
    1. Let |workletDataOrigin| be |globalScope|'s [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If the result of running [=Is feature enabled in document for origin?=] on "[=PermissionsPolicy/shared-storage-select-url=]", |document|, and |workletDataOrigin| returns false, return a [=promise rejected=] with a {{TypeError}}.
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for |globalScope| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |urls| is empty or if |urls|'s [=list/size=] is greater than 8, return a [=promise rejected=] with a {{TypeError}}.

        Note: 8 is chosen here so that each call of {{SharedStorageWorklet/selectURL()}} can leak at most log2(8) = 3 bits of information when the result fenced frame is clicked. It's not a lot of information per-call.

    1. Let |urlList| be an empty [=list=].
    1. [=map/iterate|For each=] |urlWithMetadata| in |urls|:
        1. If |urlWithMetadata| has no field "`url`", return a [=promise rejected=] with a {{TypeError}}.
        1. Otherwise, let |urlString| be |urlWithMetadata|["`url`"].
        1. Let |serializedUrl| be the result of running [=get the canonical URL string if valid=] with |urlString|.
        1. If |serializedUrl| is undefined, return a [=promise rejected=] with a {{TypeError}}.
        1. Otherwise, [=list/append=] |serializedUrl| to |urlList|.
        1. If |urlWithMetadata| has field "`reportingMetadata`":
            1. Let |reportingMetadata| be |urlWithMetadata|["`reportingMetadata`"].
            1. If the result of running [=validate reporting metadata=] with |reportingMetadata| is false, [=reject=] |resultPromise| with a {{TypeError}} and abort these steps.
    1. Let |navigable| be |window|'s [=associated document=]'s [=node navigable=].
    1. Let |fencedFrameConfigMapping| be |navigable|'s [=navigable/traversable navigable=]'s [=traversable navigable/fenced frame config mapping=].
    1. Let |pendingConfig| be a new [=fenced frame config=].
    1. Let |urn| be the result of running [=fenced frame config mapping/store a pending config=] on |fencedFrameConfigMapping| with |pendingConfig|.
    1. If |urn| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |window|'s [=relevant settings object=].
    1. Let |allowedInOpaqueOriginContext| be [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=].
    1. If the result of running [=determine whether shared storage is allowed by context=] given |environment|, |workletDataOrigin|, and |allowedInOpaqueOriginContext| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |environment| and |workletDataOrigin| is false:
        1. If [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=] is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |options|["`resolveToConfig`"] is true, [=resolve=] |resultPromise| with |pendingConfig|.
    1. Otherwise, [=resolve=] |resultPromise| with |urn|.
    1. Let (|indexPromise|, |shouldChargeTopLevelBudgets|) be the result of running [=get the select-url result index=], given [=this=], |name|, |urlList|, |workletDataOrigin|, |navigable|, |options|, |preSpecifiedParams| and |aggregationCoordinator|.
    1. [=Upon fulfillment=] of |indexPromise| with |resultIndex|, run [=handle the result of selecting an index=] given |worklet|, |environment|, |document|, |urls|, |urlList|, |navigable|, |options|, |fencedFrameConfigMapping|, |urn|, |shouldChargeTopLevelBudgets|, false, and |resultIndex|.
    1. [=Upon rejection=] of |indexPromise|, run [=handle the result of selecting an index=] given |worklet|, |environment|, |document|, |urls|, |urlList|, |navigable|, |options|, |fencedFrameConfigMapping|, |urn|, |shouldChargeTopLevelBudgets|, true, and the [=default selectURL index=].
    1. Return |resultPromise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorageWorklet">run(|name|, |options|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If [=this=]'s [=addModule initiated=] is false, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |window| be [=this=]'s [=relevant settings object=].
    1. [=Assert=]: |window| is a {{Window}}.
    1. Let |context| be |window|'s [=Window/browsing context=].
    1. If |context| is null, then return [=a promise rejected with=] a
        {{TypeError}}.
    1. Let |preSpecifiedParams| be the result of [=obtaining the pre-specified
        report parameters=] given |options| and |context|.
    1. If |preSpecifiedParams| is a {{DOMException}}, return [=a promise rejected
        with=] |preSpecifiedParams|.
    1. Let |aggregationCoordinator| be the result of [=obtaining the aggregation
        coordinator=] given |options|.
    1. If |aggregationCoordinator| is a {{DOMException}}, return [=a promise
        rejected with=] |aggregationCoordinator|.
    1. If [=this=]'s [=global scopes=] is [=list/empty=], then return a [=promise rejected=] with a {{TypeError}}.

        Note: This can happen if {{SharedStorageWorklet/run()}} is called before {{addModule()}}.
    1. [=Assert=]: [=this=]'s [=global scopes=]'s [=list/size=] is 1.
    1. Let |globalScope| be [=this=]'s [=global scopes=][0].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for |globalScope| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |workletDataOrigin| be |globalScope|'s [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. Let |allowedInOpaqueOriginContext| be [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=].
    1. If the result of running [=determine whether shared storage is allowed by context=] given |window|, |workletDataOrigin|, and |allowedInOpaqueOriginContext| is false, [=reject=] |promise| with a {{TypeError}}.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |window| and |workletDataOrigin| is false:
        1. If [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=] is false, [=reject=] |promise| with a {{TypeError}}.
        1. Else, [=resolve=] |promise| with undefined.
        1. Return |promise|.
    1. Return |promise|, and immediately [=obtaining a worklet agent=] given |window| and run the rest of these steps in that agent:

        Note: The |promise|'s resolution should be before and not depend on the execution inside {{SharedStorageWorkletGlobalScope}}. This is because shared storage is a type of unpartitioned storage, and a {{SharedStorageWorkletGlobalScope}} can have access to cross-site data, which shouldn't be leaked via {{SharedStorageWorklet/run()}} (via its success/error result).

        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=resolve=] |promise| with undefined.
        1. If |globalScope|'s [=relevant settings object=]'s [=module map=] is not [=map/empty=]:
            1. Let |operationMap| be [=this=]'s {{SharedStorageWorkletGlobalScope}}'s [=SharedStorageWorkletGlobalScope/operation map=].
            1. If |operationMap| [=map/contains=] |name|:
                1. [=Assert=]: |operationMap|[|name|]'s [=associated realm=] is [=this=]'s [=relevant realm=].
                1. Let |operation| be |operationMap|[|name|], [=converted to an IDL value|converted=] to {{Function}}.
                1. Let |privateAggregationCompletionTask| be the result of [=setting up the Private Aggregation scopes=] given |workletDataOrigin|, |preSpecifiedParams| and |aggregationCoordinator|.
                1. Let |argumentsList| be a new [=/list=].
                1. If |options|["{{SharedStorageRunOperationMethodOptions/data}}"] [=map/exists=], [=list/append=] it to |argumentsList|.
                1. [=Invoke=] |operation| with |argumentsList| and "`report`".
                1. Wait for |operation| to finish running, if applicable.
                1. Run |privateAggregationCompletionTask|.
        1. If |options|["`keepAlive`"] is false:
            1. Wait for |operation| to finish running, if applicable.
            1. Run [=terminate a worklet global scope=] with [=this=].
  </div>

  <div algorithm>
    To <dfn>obtain the aggregation coordinator</dfn> given a
    {{SharedStorageRunOperationMethodOptions}} |options|, perform the following
    steps. They return an [=aggregation coordinator=], null or a {{DOMException}}:

    1. If |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]
        does not [=map/exist=], return null.
    1. If |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]["{{SharedStoragePrivateAggregationConfig/aggregationCoordinatorOrigin}}"]
        does not [=map/exist=], return null.
    1. Return the result of [=obtaining the Private Aggregation coordinator=]
        given
        |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]["{{SharedStoragePrivateAggregationConfig/aggregationCoordinatorOrigin}}"].
  </div>

  <div algorithm>
    To <dfn>obtain the pre-specified report parameters</dfn> given a
    {{SharedStorageRunOperationMethodOptions}} |options| and a [=/browsing
    context=] |context|, perform the following steps. They return a
    [=pre-specified report parameters=], null, or a {{DOMException}}:
    1. If |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]
        does not [=map/exist=], return null.
    1. Let |privateAggregationConfig| be
        |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"].
    1. Let |contextId| be null.
    1. If |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/contextId}}"]
        [=map/exists=], set |contextId| to
        |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/contextId}}"].
    1. If |contextId|'s [=string/length=] is greater than 64, return a new
        {{DOMException}} with name "`DataError`".
    1. Let |filteringIdMaxBytes| be the [=default filtering ID max bytes=].
    1. If |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/filteringIdMaxBytes}}"]
        [=map/exists=], set |filteringIdMaxBytes| to
        |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/filteringIdMaxBytes}}"].
    1. If |filteringIdMaxBytes| is not [=set/contained=] in the [=valid filtering ID
        max bytes range=], return a new {{DOMException}} with name "`DataError`".
    1. If |context|'s [=browsing context/fenced frame config instance=] is not null:
        1. If |filteringIdMaxBytes| is not the [=default filtering ID max bytes=] or
            |contextId| is not null, return a new {{DOMException}} with name
            "`DataError`".
    1. Return a new [=pre-specified report parameters=] with the items:
        : <a spec="private-aggregation-api" for="pre-specified report parameters">context ID</a>
        :: |contextId|
        : [=pre-specified report parameters/filtering ID max bytes=]
        :: |filteringIdMaxBytes|
  </div>

  <div algorithm>
    To <dfn>set up the Private Aggregation scopes</dfn> given an [=/origin=]
    |workletDataOrigin|, a [=pre-specified report parameters=] or null
    |preSpecifiedParams| and an [=aggregation coordinator=] or null
    |aggregationCoordinator|, peform the following steps. They return an
    algorithm.

    Note: The returned algorithm should be run when the associated operation is
        complete.

    1. Let |batchingScope| be a new [=batching scope=].
    1. Let |debugScope| be a new [=debug scope=].
    1. Let |privateAggregationTimeout| be null.
    1. Let |hasRunPrivateAggregationCompletionTask| be false.
    1. Let |privateAggregationCompletionTask| be an algorithm to perform the
        following steps:
        1. If |hasRunPrivateAggregationCompletionTask|, return.
        1. Set |hasRunPrivateAggregationCompletionTask| to true.
        1. [=Mark a debug scope complete=] given |debugScope|.
        1. [=Process contributions for a batching scope=] given
            |batchingScope|, |workletDataOrigin|, "<code>shared-storage</code>"
            and |privateAggregationTimeout|.
    1. If |aggregationCoordinator| is not null, [=set the aggregation coordinator
        for a batching scope=] given |aggregationCoordinator| and |batchingScope|.
    1. If |preSpecifiedParams| is not null:
        1. Let |isDeterministicReport| be the result of [=determining if a report
            should be sent deterministically=] given |preSpecifiedParams|.
        1. If |isDeterministicReport|:
            1. Set |privateAggregationTimeout| to the [=/current wall time=] plus
                the [=deterministic operation timeout duration=].
        1. [=Set the pre-specified report parameters for a batching scope=] given
            |preSpecifiedParams| and |batchingScope|.
        1. If |isDeterministicReport|, run the following steps [=in parallel=]:
            1. Wait until |privateAggregationTimeout|.
            1. Run |privateAggregationCompletionTask|.
    1. Return |privateAggregationCompletionTask|.
  </div>

  The <dfn>deterministic operation timeout duration</dfn> is an
  [=implementation-defined=] non-negative [=duration=] that controls how long a
  Shared Storage operation may make Private Aggregation contributions if it is
  triggering a deterministic report and, equivalently, when that report should
  be sent after the operation begins.

  ## Monkey Patch for [=Worklets=] ## {#worklet-monkey-patch}

  This specification will make some modifications to the [=Worklet=] standard to accommodate the needs of Shared Storage.

  ### Monkey Patch for [=set up a worklet environment settings object=] ### {#set-up-a-worklet-environment-settings-object-monkey-patch}

  The [=set up a worklet environment settings object=] algorithm will need to include an additional parameter: {{Worklet}} |worklet|. The step that defines the |settingsObject|'s [=environment settings object/origin=] should be modified as follows:

    6. Let |settingsObject| be a new [=environment settings object=] whose algorithms are defined as follows:

        ......

        <b>The [=environment settings object/origin=]</b>
          1. Let |workletGlobalScope| be the [=global object=] of <var ignore=''>realmExecutionContext</var>'s Realm component.
          1. If |workletGlobalScope| is not {{SharedStorageWorkletGlobalScope}}, return |origin|.
          1. [=Assert=] that |worklet| is a {{SharedStorageWorklet}}.
          1. If |worklet|'s [=SharedStorageWorklet/data origin=] is `"context-origin"`, return <var ignore=''>outsideSettings</var>'s [=environment settings object/origin=].
          1. Otherwise, if [=SharedStorageWorklet/data origin=] is `"script-origin"`:
              1. Let |pendingAddedModules| be a [=list/clone=] of |worklet|'s [=added modules list=].
              1. [=Assert=]: |pendingAddedModules|'s [=list/size=] is 1.
              1. Let |moduleURL| be |pendingAddedModules|[0].
              1. Return |moduleURL|'s [=url/origin=].
          1. Otherwise, let |customOriginUrl| be the result of running a [=URL parser=] on [=SharedStorageWorklet/data origin=].
          1. [=Assert=] |customOriginUrl| is a valid [=/URL=].
          1. Return |customOriginUrl|'s [=url/origin=].

        ......

  ### Monkey Patch for [=create a worklet global scope=] ### {#create-a-worklet-global-scope-monkey-patch}

  The [=create a worklet global scope=] algorithm will need to be modified to pass in the |worklet| parameter:

    5. Let <var ignore=''>insideSettings</var> be the result of [=setting up a worklet environment settings object=] given <var ignore=''>realmExecutionContext</var>, <var ignore=''>outsideSettings</var>, and |worklet|.

  ### Monkey Patch for [=fetch a worklet script graph=] ### {#fetch-a-worklet-script-graph-monkey-patch}

  The algorithm [=fetch a worklet script graph=] calls into the <a href="https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-worklet/module-worker-script-graph">fetch a worklet/module worker script graph</a> algorithm, which takes in an algorithm parameter |processCustomFetchResponse|. The definition of that |processCustomFetchResponse| parameter will need to include the following step before the step "5. [=Fetch=] |request|, ...":

    5. If |fetchClient|'s [=environment settings object/global object=] is {{SharedStorageWorkletGlobalScope}}:
        1. Set |request|'s [=request/redirect mode=] to "<code>error</code>".

            Note: For shared storage, redirects are disallowed for the module script request. With this restriction, it's possible to define and to use the algorithm that gets the |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] (as described in [[#set-up-a-worklet-environment-settings-object-monkey-patch]]) as soon as the {{SharedStorageWorkletGlobalScope}} is created, as the origin won't change. This restriction may be removed in a future iteration of the design. If redirects become allowed, presumably, the algorithm that gets the |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] should be updated to return the final request's [=request/URL=]'s [=url/origin=] after receiving the final request's response, and the user preference checkings shall only be done after that point.

        1. If |fetchClient|'s [=environment settings object/origin=] and |settingsObject|'s [=environment settings object/origin=] are not [=same origin=]:
            1. Let |dataOriginValue| be the [=origin/serialization=] of |settingsObject|'s [=environment settings object/origin=].
            1. [=Assert=] that |dataOriginValue| is not null.
            1. [=header list/Append=] the [=header=] ([:Sec-Shared-Storage-Data-Origin:], |dataOriginValue|) to |request|'s [=request/header list=].

  ### The [:Shared-Storage-Cross-Origin-Worklet-Allowed:] HTTP response header ### {#worklet-allowed-header}

  The [:Shared-Storage-Cross-Origin-Worklet-Allowed:] HTTP response header, along with the traditional CORS headers, can be used to grant a cross-origin site the permission to create a worklet from the module script's [=/URL=]'s [=url/origin=], and to run subsequent operations on the worklet using the module script's [=/URL=]'s [=url/origin=] as the <dfn for="SharedStorage">data partition origin</dfn> for accessing shared storage data, i.e. the [=environment settings object/origin=] set in [[#set-up-a-worklet-environment-settings-object-monkey-patch]], which becomes the [=url/origin=] used in all {{SharedStorage}} calls to [=obtain a shared storage bottle map=].

  Worklets that load cross-origin scripts rely on CORS as a baseline permission mechanism to indicate trusted external origins. However, CORS alone is insufficient for creation of a worklet with cross-origin script whose [=data partition origin=] is the script origin. Unlike simple resource sharing, worklets allow the creator site to execute JavaScript within the context of the target origin. To ensure security, an additional response header, [:Shared-Storage-Cross-Origin-Worklet-Allowed:], is required from the script origin.

  ### Monkey Patch for [=HTTP fetch=] ### {#http-fetch-monkey-patch}
  [Steps](#mod-http-fetch) will need to be added to the [=HTTP fetch=] algorithm.

  Note: It is the responsibility of the site serving the module script to carefully consider the security implications: when the module script's [=/URL=]'s [=url/origin=] and the worklet's creator {{Window}} origin are not [=same origin=], by sending permissive CORS headers the [:Shared-Storage-Cross-Origin-Worklet-Allowed:] header on the module script response, the server will be granting the worklet's creation and subsequent operations on the worklet, while allowing the worklet to use the worklet's script's [=url/origin=] as the [=url/origin=] for accessing the shared storage data, i.e. the [=data partition origin=]. For example, the worklet's creator {{Window}} could poison and use up the worklet origin's [=/site=]'s [=site/remaining navigation budget=] by calling {{SharedStorageWorklet/selectURL()}} or {{SharedStorageWorklet/run()}}, where the worklet origin is the global scope's [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].

  ### Monkey Patch for {{Worklet/addModule()}} ### {#add-module-monkey-patch}

  The {{Worklet/addModule()}} method steps for {{Worklet}} will need to include the following step before the step "Let |promise| be a new promise":

    4. If |this| is of type {{SharedStorageWorklet}}:
        1. Let |addModuleAllowedResult| be the result of running [=check if addModule is allowed and update state=] given |this| and <var ignore=''>moduleURLRecord</var>.
        1. If |addModuleAllowedResult| is "DisallowedDueToNonPreferenceError":
            1. Return [=a promise rejected with=] a {{TypeError}}.
        1. Else if |addModuleAllowedResult| is "DisallowedDueToPreferenceError":
            1. If |this|'s [=SharedStorageWorklet/has cross-origin data origin=] is false, then return [=a promise rejected with=] a {{TypeError}}.
        1. Else:
            1. [=Assert=]: |addModuleAllowedResult| is "Allowed".

    <div class="note">
    On user preferences error, {{Worklet/addModule()}} will be aborted at an early stage. However, the error will only be exposed to the caller for a same-origin worklet (i.e. where the initiator document's origin is same-origin with the module script's origin). For a cross-origin worklet, the error will be hidden. This is to prevent a caller from knowing which origins the user has disabled shared storage for via preferences (if a per-origin preference exists for that browser vendor).

    A caller may still use timing attacks to know this information, but this is a minor security/privacy issue, as in reality very few users would set such preferences, and doing a wide search would incur a significant performance cost spinning up the worklets.

    This rationale also applies to the handling for user preferences error for {{SharedStorageWorklet/selectURL()}} and {{SharedStorageWorklet/run()}}.
    </div>

  After the step "Let <var ignore=''>addedSuccessfully</var> be false", we need to include the following step:

    4. If |this| is of type {{SharedStorageWorklet}}, [=SharedStorageWorklet/has cross-origin data origin=] is true, and [=SharedStorageWorklet/data origin=] is not `"script-origin"`:
        1. [=Assert=] |pendingTasks| is 1.
        1. Set |pendingTasks| to 2.
        1. [=Queue a global task=] on the [=networking task source=] given <var ignore=''>workletGlobalScope</var> to perform the following steps:
            1. Let |customOriginUrl| be the result of running a [=URL parser=] on [=SharedStorageWorklet/data origin=].
            1. [=Assert=] |customOriginUrl| is a valid [=/URL=].
            1. Set |customOriginUrl|'s [=url/path=] to ≪".well-known", "shared-storage", "trusted-origins"≫.
            1. Let |request| be a new [=/request=] whose [=request/URL=] is |customOriginUrl|, [=request/mode=] is `"cors"`, [=request/referrer=] is `"client"`, [=request/destination=] is `"json"`, [=request/initiator type=] is `"script"`, and [=request/client=] is |outsideSettings|.
            1. [=Fetch=] |request| with [=fetch/processResponseConsumeBody=] set to the following algorithm, given [=/response=] |response| and null, failure or a [=/byte sequence=] |bodyBytes|:
                1. If any of the following are true:
                    * |bodyBytes| is null or failure; or
                    * |response|'s [=response/status=] is not an [=ok status=],

                       then:
                       1. Set |pendingTasks| to −1.
                       1. [=Reject=] |promise| with an "TypeError" DOMException.
                       1. Abort these steps.
                1. Let |mimeType| be the result of [=extracting a MIME type=] from |response|'s [=response/header list=].
                1. If |mimeType| is not a [=JSON MIME type=], then:
                    1. Set |pendingTasks| to −1.
                    1. [=Reject=] |promise| with an "TypeError" DOMException.
                    1. Abort these steps.
                1. Let |sourceText| be the result of [=UTF-8 decoding=] |bodyBytes|.
                1. Let |parsed| be the result of [=parsing a JSON string to an Infra value=] given |sourceText|.
                1. If |parsed| is not a [=list=] or if |parsed| is [=list/empty=], then:
                    1. Set |pendingTasks| to −1.
                    1. [=Reject=] |promise| with an "TypeError" DOMException.
                    1. Abort these steps.
                1. Let |doesMatch| be false.
                1. For each |item| of |parsed|:
                    1. If |item| is not an [=ordered map=], or if |item| does not [=map/contain=] `scriptOrigin`, or if |item| does not [=map/contain=] `contextOrigin`:
                        1. Set |pendingTasks| to −1.
                        1. [=Reject=] |promise| with an "TypeError" DOMException.
                        1. Abort these steps.
                    1. Let |doesMatch| be the result of running [=check for script and context origin match=] on |item|[`scriptOrigin`], <var ignore=''>moduleURLRecord</var>'s [=url/origin=], |item|[`contextOrigin`], and |outsideSettings|'s [=environment settings object/origin=].
                    1. If |doesMatch| is true:
                        1. [=Queue a global task=] on the [=networking task source=] given |this|'s [=relevant global object=] to perform the following steps:
                            1. If |pendingTasks| is not −1, then:
                                1. Set |pendingTasks| to |pendingTasks| − 1.
                                1. If |pendingTasks| is 0, perform the following steps:
                                    1. If |workletGlobalScope| has an associated boolean [=addModule success=], set |workletGlobalScope|'s [=addModule success=] to true.
                                    1. [=Resolve=] |promise|.
                        1. Break.
                1. If |doesMatch| is false, then:
                    1. Set |pendingTasks| to −1.
                    1. [=Reject=] |promise| with an "TypeError" DOMException.

    Note: If the worklet data origin is different from the current context and the script origin, an additional check is performed. This involves fetching a configuration file from the worklet data origin to verify that the current context is allowed to load the worklet with the script and perform operations.

  The penultimate step (i.e. the final indented step), currently "If |pendingTasks| is 0, then [=resolve=] |promise|.", should be updated to:

    2. If |pendingTasks| is 0, perform the following steps:
        1. If |workletGlobalScope| has an associated boolean [=addModule success=], set |workletGlobalScope|'s [=addModule success=] to true.
        2. [=Resolve=] |promise|.

  Just before the final step, currently "Return <var ignore>promise</var>.", add the following step:

    7. If |this| is a {{SharedStorageWorklet}}, [=upon fulfillment=] of |promise| or
        [=upon rejection=] of |promise|, run the following steps:
        1. Let |globalScopes| be |this|'s [=Worklet/global scopes=].
        1. [=Assert=]: |globalScopes|' [=list/size=] equals 1.
        1. Let |privateAggregationObj| be |globalScopes|[0]'s
            {{SharedStorageWorkletGlobalScope/privateAggregation}}.
        1. Set |privateAggregationObj|'s [=PrivateAggregation/allowed to use=] to
            the result of determining whether [=this=]'s [=relevant global
            object=]'s [=associated document=] is [=/allowed to use=] the
            "<code>[=private-aggregation=]</code>" [=policy-controlled feature=].

            Issue: Consider adding an early return here if the permissions
                policy check is made first.
        1. Set |privateAggregationObj|'s [=PrivateAggregation/scoping details=] to a
                new [=/scoping details=] with the items:
            : [=scoping details/get batching scope steps=]
            :: An algorithm that returns the [=batching scope=] that is scheduled to
                be passed to [=process contributions for a batching scope=] when the
                call currently executing in |scope| returns.
            : [=scoping details/get debug scope steps=]
            :: An algorithm that returns the [=debug scope=] that is scheduled to be
                passed to [=mark a debug scope complete=] when the call currently
                executing in |scope| returns.

            Note: Multiple operation invocations can be in-progress at the same
            time, each with a different batching scope and debug scope. However,
            only one can be currently executing.


  A <dfn>trusted origin type</dfn> is a [=string=] or [=list=] of [=strings=].

  <div algorithm>
  To <dfn>check for script and context origin match</dfn>, given [=trusted origin type=] |itemScriptOrigin|, [=url/origin=] |actualScriptOrigin|, [=trusted origin type=] |itemContextOrigin|, and [=environment settings object/origin=] |actualContextOrigin|, peform the following steps:

    1. If the result of running [=check for trusted origin match=], given |itemScriptOrigin| and |actualScriptOrigin| is false, return false.
    1. Return the result of running [=check for trusted origin match=], given |itemContextOrigin| and |actualContextOrigin|.
  </div>

  <div algorithm>
  To <dfn>check for trusted origin match</dfn>, given [=trusted origin type=] |itemOrigin| and [=url/origin=] |actualOrigin|, peform the following steps:

    1. If |itemOrigin| is a [=string=], return the result of running [=check for trusted origin match on a string=], given |itemOrigin| and |actualOrigin|.
    1. Otherwise, for each |originString| in |itemOrigin|:
        1. If the result of running [=check for trusted origin match on a string=] given |originString| and |actualOrigin| is true, return true.
    1. Return false.
  </div>


  <div algorithm>
  To <dfn>check for trusted origin match on a string</dfn>, given [=string=] |itemOrigin| and [=url/origin=] |actualOrigin|, peform the following steps:

    1. If |itemOrigin| is `"*"`, return true.
    1. Let |itemOriginUrl| be the result of running a [=URL parser=] on |itemOrigin|.
    1. If |itemOriginUrl| is not a valid [=/URL=], then return false.
    1. If |itemOriginUrl|'s [=url/origin=] and |actualOrigin| are [=same origin=], return true.
    1. Otherwise, return false.
  </div>

  <span class=todo>Add additional monkey patch pieces for out-of-process worklets.</span>

  ## The {{SharedStorageWorkletGlobalScope}} ## {#global-scope}

  The {{SharedStorageWorklet}}'s [=worklet global scope type=] is {{SharedStorageWorkletGlobalScope}}.

  The {{SharedStorageWorklet}}'s [=worklet destination type=] is "sharedstorageworklet".

  ### Monkey Patch for request [=request/destination=] ### {#request-destination-monkey-patch}

  The fetch request's [=request/destination=] field should additionally include "sharedstorageworklet" as a valid value.

  <xmp class='idl'>
    callback RunFunctionForSharedStorageSelectURLOperation = Promise<unsigned long>(sequence<USVString> urls, optional any data);
  </xmp>

  <xmp class='idl'>
    [Exposed=SharedStorageWorklet, Global=SharedStorageWorklet]
    interface SharedStorageWorkletGlobalScope : WorkletGlobalScope {
      undefined register(DOMString name,
                         Function operationCtor);

      readonly attribute SharedStorage sharedStorage;
      readonly attribute PrivateAggregation privateAggregation;

      Promise<sequence<StorageInterestGroup>> interestGroups();
    };
  </xmp>

  Each {{SharedStorageWorkletGlobalScope}} has an associated [=environment settings object=] <dfn for=SharedStorageWorkletGlobalScope>outside settings</dfn>, which is the associated {{SharedStorageWorklet}}'s [=relevant settings object=].

  Each {{SharedStorageWorkletGlobalScope}} has an associated [=/boolean=] <dfn for=SharedStorageWorkletGlobalScope>addModule success</dfn>, which is initialized to false.

  Each {{SharedStorageWorkletGlobalScope}} also has an associated <dfn for=SharedStorageWorkletGlobalScope>operation map</dfn>, which is a [=map=], initially empty, of [=strings=] (denoting operation names) to [=function objects=].

  Each {{SharedStorageWorkletGlobalScope}} also has an associated {{SharedStorage}} instance, with the [=SharedStorageWorkletGlobalScope/sharedStorage getter=] algorithm as described below.

  ### {{SharedStorageWorkletGlobalScope}} algorithms ### {#scope-algo}
  <div algorithm>
    The <dfn method for="SharedStorageWorkletGlobalScope">register(|name|, |operationCtor|)</dfn> method steps are:

    1. If |name| is missing or empty, throw a {{TypeError}}.
    1. Let |operationMap| be this {{SharedStorageWorkletGlobalScope}}'s [=SharedStorageWorkletGlobalScope/operation map=].
    1. If |operationMap| [=map/contains=] an [=map/entry=] with [=map/key=] |name|, throw a {{TypeError}}.
    1. If |operationCtor| is missing, throw a {{TypeError}}.
    1. Let |operationClassInstance| be the result of [=constructing=] |operationCtor|, with no arguments.
    1. Let |runFunction| be [=Get=](|operationClassInstance|, "`run`"). Rethrow any exceptions.
    1. If <a abstract-op>IsCallable</a>(|runFunction|) is false, throw a {{TypeError}}.
    1. [=map/Set=] the value of |operationMap|[|name|] to |runFunction|.
  </div>

  Issue(151): The "name" and "operationCtor" cannot be missing here given WebIDL. Should just check for default/empty values.

  <div algorithm>
    The <dfn method for="SharedStorageWorkletGlobalScope">interestGroups()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be |globalObject|'s [=Window/browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |document| be |context|'s [=active window=]'s [=associated document=].
    1. If |document| is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |workletDataOrigin| be [=current realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. Run the following steps [=in parallel=]:
        1. Let |interestGroups| be the result of running [=get storage interest groups for owner=] given |workletDataOrigin|.
        1. If |interestGroups| is failure:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |interestGroups|.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn for="SharedStorageWorkletGlobalScope">{{SharedStorageWorkletGlobalScope/sharedStorage}} getter</dfn> steps are:

    1. If [=this=]'s [=addModule success=] is true, return [=this=]'s {{SharedStorageWorkletGlobalScope/sharedStorage}}.
    1. Otherwise, throw a {{TypeError}}.
  </div>

  <div algorithm="privateAggregation getter">
    The {{SharedStorageWorkletGlobalScope/privateAggregation}} [=getter steps=] are to:

    1. [=Get the privateAggregation=] given [=this=].
  </div>

  <div algorithm>
    To <dfn for="SharedStorageWorkletGlobalScope">check whether addModule is finished</dfn>, the step is:

    1. Return the value of [=addModule success=].
  </div>

  ## {{SharedStorageUrlWithMetadata}} and Reporting ## {#reporting}

  <xmp class='idl'>
    dictionary SharedStorageUrlWithMetadata {
      required USVString url;
      object reportingMetadata;
    };
  </xmp>

  If a {{SharedStorageUrlWithMetadata}} [=dictionary=] contains a non-[=map/empty=] {{SharedStorageUrlWithMetadata/reportingMetadata}} {{/object}} in the form of a [=dictionary=] whose [=map/keys=] are {{FenceEvent}}'s {{FenceEvent/eventType}}s and whose [=map/values=] are [=strings=] that parse to valid [=/URLs=], then these {{FenceEvent/eventType}}-[=/URL=] pairs will be [=register reporting metadata|registered=] for later access within any [=fenced frame=] that loads the {{SharedStorageResponse}} resulting from this {{SharedStorageWorklet/selectURL()}} call.

  Issue(141): {{SharedStorageUrlWithMetadata/reportingMetadata}} should be a [=dictionary=].

  Inside a [=fenced frame=] with {{FenceEvent/eventType}}-[=/URL=] pairs that have been [=register reporting metadata|registered=] through {{SharedStorageWorklet/selectURL()}} with {{SharedStorageUrlWithMetadata/reportingMetadata}} {{/object}}s, if {{reportEvent()}} is called on a {{FenceEvent}} with a {{FenceEvent/destination}} [=list/containing=] "`shared-storage-select-url`" and that {{FenceEvent}}'s corresponding {{FenceEvent/eventType}} is triggered, then the {{FenceEvent}}'s {{FenceEvent/eventData}} will be sent as a [=beacon=] to the registered [=/URL=] for that {{FenceEvent/eventType}}.

  <div algorithm>
    To <dfn>validate reporting metadata</dfn>, given an {{/object}} |reportingMetadata|, run the following steps:

    1. If |reportingMetadata| is not a [=dictionary=], return false.
    1. If |reportingMetadata| is [=map/empty=], return true.
    1. [=map/iterate|For each=] <var ignore="">eventType</var> → |urlString| of |reportingMetadata|, if the result of running [=get the canonical URL string if valid=] with |urlString| is undefined, return false.
    1. Return true.
  </div>

  <div algorithm>
    To <dfn>get the canonical URL string if valid</dfn>, given a [=string=] |urlString|, run the following steps:

    1. Let |url| be the result of running a [=URL parser=] on |urlString|.
    1. If |url| is not a valid [=/URL=], return undefined.
    1. Otherwise, return the result of running a [=URL serializer=] on |url|.
  </div>

  <div algorithm>
    To <dfn>register reporting metadata</dfn>, given an {{/object}} |reportingMetadata| and a [=fenced frame config=] |fencedFrameConfigStruct|, run the following steps:

    1. If |reportingMetadata| is [=map/empty=], return.
    1. [=Assert=]: |reportingMetadata| is a [=dictionary=].
    1. Let |reportingUrlMap| be an [=map/empty=] [=map=].
    1. [=map/iterate|For each=] |eventType| → |urlString| of |reportingMetadata|:
        1. Let |url| be the result of running a [=URL parser=] on |urlString|.
        1. [=Assert=]: |url| is a valid [=/URL=].
        1. [=map/Set=] |reportingUrlMap|[|eventType|] to |url|.

    Issue(144): Store |reportingUrlMap| inside a [=fenced frame reporter=] class associated with |fencedFrameConfigStruct|. Both of these still need to be added to the draft [[Fenced-Frame]].
  </div>


  ## Entropy Budgets ## {#budgets}

  Because [=bits of entropy=] can leak via {{SharedStorageWorklet/selectURL()}}, the [=user agent=] will need to maintain budgets to limit these leaks.

  On a call to {{SharedStorageWorklet/selectURL()}}, when any of these budgets are exhausted, the [=default selectURL index=] will be used to determine which URL to select.

  <div algorithm>
    To <dfn>get the default selectURL index</dfn>, given {{sequence}}<{{USVString}}> |urls|, run the following steps:

    1. Return 0.

        Note: We could have chosen to return any {{unsigned long}} from the [=the exclusive range|range=] from 0 to |urls|’s [=list/size=], exclusive, as long as the returned index was independent from the registered operation class's "`run`" method.
  </div>

  The <dfn>default selectURL index</dfn> is the index obtained by running [=get the default selectURL index=], given {{sequence}}<{{USVString}}> <var ignore=''>urls</var>.

  ### Navigation Entropy Budget ### {#nav-budget}

  If a user [=user activation|activates=] a [=fenced frame=] whose [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=] was generated by {{SharedStorageWorklet/selectURL()}} and thereby initiates a [=top-level traversable=] [=navigate|navigation=], this will reveal to the landing page that its [=/URL=] was selected, which is a leak in [=entropy bits=] of up to logarithm base 2 of the number of input [=/URLs=] for the call to {{SharedStorageWorklet/selectURL()}}. To mitigate this, a [=user agent=] will set a per-[=/site=] [=navigation entropy allowance=].

  A <dfn>navigation entropy allowance</dfn> is a maximum allowance of [=entropy bits=] that are permitted to leak via [=fenced frames=] initiating [=top-level traversable=] [=navigate|navigations=] during a given [=navigation budget epoch=] for a given calling [=/site=]. This [=navigation entropy allowance|allowance=] is defined by the [=user agent=] and is [=/site=]-agnostic.

  A [=user agent=] will define a fixed predetermined [=duration=] <dfn>navigation budget lifetime</dfn>.

  An <dfn>navigation budget epoch</dfn> is any interval of time whose [=duration=] is the [=navigation budget lifetime=].

  To keep track of how this [=navigation entropy allowance=] is used, the [=user agent=] uses a <dfn>shared storage navigation budget table</dfn>, which is a [=map=] of [=/sites=] to [=navigation entropy ledgers=].

  An <dfn>navigation entropy ledger</dfn> is a [=/list=] of [=bit debits=].

  A <dfn>bit debit</dfn> is a [=struct=] with the following [=struct/items=]:

  <dl dfn-for="bit debit">
    : <dfn>bits</dfn>
    :: a {{double}}

    : <dfn>timestamp</dfn>
    :: a {{DOMHighResTimeStamp}} (from the [=Unix Epoch=])
  </dl>

  [=Bit debits=] whose [=bit debit/timestamps=] precede the start of the current [=navigation budget epoch=] are said to be <dfn for="bit debit">expired</dfn>.

  When a leak occurs, its value in [=entropy bits=] is calculated and stored for that [=/site=], along with the current time as a [=bit debit/timestamp=], together as a [=bit debit=] in the [=shared storage navigation budget table=].

 Each [=/site=] has an associated double <dfn for="site">remaining navigation budget</dfn>, whose value is the [=navigation entropy allowance=] minus any [=bit debits=] whose [=bit debit/timestamps=] are within the current [=navigation budget epoch=].

  When a [=/site=] has insufficient [=site/remaining navigation budget=], {{SharedStorageWorklet/selectURL()}} will return a {{SharedStorageResponse}} (i.e. either a {{FencedFrameConfig}} or a [=urn uuid=]) for the {{SharedStorageUrlWithMetadata/url}} in the {{SharedStorageUrlWithMetadata}} at the [=default selectURL index=].

  <div algorithm>
    To <dfn>determine remaining navigation budget</dfn>, given an [=environment settings object=] |environment| and a [=/site=] |site|, run the following steps:

    1. [=Assert=]: |site| is not an [=opaque origin=].
    1. Let |maxBits| be the [=user agent=]'s [=navigation entropy allowance=].
    1. If the [=user agent=]'s [=shared storage navigation budget table=] does not [=map/contain=] |site|, then return |maxBits|.
    1. Otherwise, let |ledger| be [=user agent=]'s [=shared storage navigation budget table=][|site|].
    1. Let |debitSum| be 0.
    1. [=map/iterate|For each=] [=list/item=] |bitDebit| in |ledger|, do the following steps:
        1. Let |debit| be |bitDebit|'s [=bit debit/bits=].
        1. If the result of running [=check whether a bit debit is expired=] with |environment| and |bitDebit| is false, then increment |debitSum| by |debit|.
    1. Return |maxBits| &minus; |debitSum|.
  </div>

  <div algorithm>
    To <dfn>check whether a bit debit is expired</dfn>, given an [=environment settings object=] |environment| and a [=bit debit=] |bitDebit|, run the following steps:

    1. Let |epochLength| be the [=user agent=]'s [=navigation budget lifetime=].
    1. Let |currentTime| be |environment|'s [=environment settings object/current wall time=].
    1. Let |threshold| be |currentTime| &minus; |epochLength|.
    1. If |bitDebit|'s [=bit debit/timestamp=] is less than |threshold|, return true.
    1. Otherwise, return false.
  </div>

  A [=bit debit=] will need to be [=charge shared storage navigation budget|charged=] to the [=shared storage navigation budget table=] for each [=top-level traversable=] [=navigate|navigation=] initiated by a [=fenced frame=] whose [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=] was generated via {{SharedStorageWorklet/selectURL()}}, as this can leak cross-site data. Since the [=bit debit/bits=] to charge is calculated during the call to {{SharedStorageWorklet/selectURL()}} but only actually recorded in the [=shared storage navigation budget table=] if and when the resulting fenced frame initiates a [=top-level traversable=] [=beginning navigation|navigation=], the [=bit debit/bits=] must be stored as a <dfn>pending shared storage budget debit</dfn> in the corresponding fenced frame's [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=] until this time.

  Issue(148): Move the definition of [=pending shared storage budget debit=] to [=fenced frame config instance=] in the draft [[Fenced-Frame]] specification.

  Between [=beginning navigation=] and [=ending navigation=], a [=user agent=] will perform the [=charge shared storage navigation budget=] algorithm.

  Issue(138): Need to find a better way to specify timing of the navigation budget charging.

  <div algorithm>
    To <dfn>charge shared storage navigation budget</dfn> during a [=beginning navigation|navigation=] with [=/navigable=] |navigable| and {{Document}} |sourceDocument|, run the following steps:

    1. If |navigable| is not a [=top-level traversable=], return.
    1. Let |currentNavigable| be |sourceDocument|'s [=node navigable=].
    1. While |currentNavigable| is not null:
        1. Let |site| be the result of running [=obtain a site=] with |currentNavigable|'s [=active document=]'s [=Document/origin=].
        1. Let |instance| be |currentNavigable|'s [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=].
        1. Set |currentNavigable| to |currentNavigable|'s [=navigable/parent=].
        1. If |instance| is null or |site| is an [=opaque origin=], then [=iteration/continue=].
        1. Let |pendingBits| be |instance|'s [=pending shared storage budget debit=].
        1. If |pendingBits| is not greater than 0, then [=iteration/continue=].
        1. Let |ledger| be [=user agent=]'s [=shared storage navigation budget table=][|site|].
        1. Let |bitDebit| be a new [=bit debit=].
        1. Set |bitDebit|'s [=bit debit/bits=] to |pendingBits|.
        1. Let |currentTime| be the [=/current wall time=].
        1. Set |bitDebit|'s [=bit debit/timestamp=] to |currentTime|.
        1. [=list/Append=] |bitDebit| to |ledger|.
        1. Set |pendingBits| to 0.
  </div>

  A [=user agent=] may wish to set a timer to periodically [=purge expired bit debits from all navigation entropy ledgers=], as the [=bit debit/expired=] [=bit debits=] will no longer be needed.

  <div algorithm>
    To <dfn>purge expired bit debits from all navigation entropy ledgers</dfn>, run the following steps:

    1. [=map/iterate|For each=] <var ignore="">origin</var> → |ledger| of [=user agent=]'s [=shared storage navigation budget table=]:
        1. [=map/iterate|For each=] |bitDebit| in |ledger|, if the result of running [=check whether a bit debit is expired=] with |bitDebit| is true, [=list/remove=] |bitDebit| from |ledger|.
  </div>

  ### [=Top-Level Traversable=] Entropy Budgets ### {#top-budgets}

  In the short term, while we have less-restrictive [=fenced frames=], it is necessary to impose additional limits as follows.

  Each [=user agent=] will specify a maximum <dfn>overall page entropy allowance</dfn> and a maximum <dfn>site page entropy allowance</dfn>, where the former is the total number of bits allowed to leak for {{SharedStorageWorklet/selectURL()}} per [=top-level traversable=], where the latter is the total number of bits allowed to leak for {{SharedStorageWorklet/selectURL()}} per [=site=] per [=top-level traversable=]

  The <dfn for="traversable navigable">shared storage page budget</dfn> is a [=struct=] with the following [=struct/items=]:

  <dl dfn-for="shared storage page budget">
    : <dfn>overall budget</dfn>
    :: a {{double}}

    : <dfn>site budget map</dfn>
    :: a [=map=] of [=site=] to {{double}}

    : <dfn>saved query map</dfn>
    :: a [=map=] of [=tuples=] ([=url/origin=] <dfn for="saved query map" export>data origin</dfn>, [=/URL=] <dfn for="saved query map" export>worklet script URL</dfn>, [=string=] <dfn for="saved query map" export>operation name</dfn>, [=string=] <dfn for="saved query map" export>query name</dfn>) to [=saved query data=]
  </dl>

  The <dfn for="shared storage page budget">saved query data</dfn> is a [=struct=] with the following [=struct/items=]:

  <dl dfn-for="saved query data">
    : <dfn>index</dfn>
    :: a {{long}}

    : <dfn>callbacks</dfn>
    :: a [=queue=] of [=tasks=]
  </dl>

  #### Monkey patch for [=navigable/Traversable Navigables=] #### {#patch-trav-nav}

  In [[HTML]]'s <a
href=https://html.spec.whatwg.org/multipage/document-sequences.html#traversable-navigable>Traversable
navigables</a> section, add the following:

  In addition to the properties of a [=/navigable=], a [=navigable/traversable navigable=] has:

   * An <dfn for="traversable navigable">page budget</dfn>, a [=shared storage page budget=] or null, initially null.


  #### Monkey patch for [=/Navigables=] #### {#patch-navigables}

  Modify the [=initialize the navigable=] algorithm by adding the following steps at the end:

    1. If <var ignore=''>parent</var> is null and |navigable| is a [=navigable/traversable navigable=], then:
        1. Let |newPageBudget| be a [=shared storage page budget=] with an empty [=shared storage page budget/site budget map=].
        1. Set |newPageBudget|'s [=overall budget=] to [=overall page entropy allowance=].
        1. Set |navigable|'s [=page budget=] to |newPageBudget|.

  #### Saved queries #### {#saved-queries}

  <div algorithm>
    To <dfn>get the index for a saved query</dfn>, given [=/navigable=] |navigable|, [=url/origin=] |origin|, [=/URL=] |moduleURLRecord|, [=string=] |operationName|, [=string=] |savedQueryName|, and [=task=] |callbackTask|:

    1. Let |topLevelTraversable| be the result of running [=get the top-level traversable=] for |navigable|.
    1. [=Assert=] that |topLevelTraversable|'s [=page budget=] is not null.
    1. If |topLevelTraversable|'s [=page budget=]'s [=saved query map=] does not [=map/contain=] (|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|), then:
        1. [=map/Set=] |topLevelTraversable|'s [=page budget=]'s [=saved query map=][(|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|)] to a new [=saved query data=] struct |queryData|.
        1. Set |queryData|'s [=saved query data/index=] value to -1.
        1. Return "pending current operation".
    1. Let |savedIndex| be |topLevelTraversable|'s [=page budget=]'s [=saved query map=][(|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|)]'s  [=saved query data/index=].
    1. If |savedIndex| is -1:
        1. [=queue/Enqueue=] |callbackTask| to |queryData|'s [=saved query data/callbacks=].
        1. Return "pending callback".
    1. Return |savedIndex|.
  </div>

      Note: The [=get the index for a saved query=] algorithm returns "pending current operation" to indicate that the index value is pending the result of [=queueing a task=] on the {{SharedStorageWorkletGlobalScope}}'s [=worklet event loop=] to perform the [=registered=] operation.

      Note: The [=get the index for a saved query=] algorithm returns "pending callback" to indicate that a [=task=] to determine the result of the index was previously [=queue a task|queued=] on the {{SharedStorageWorkletGlobalScope}}'s [=worklet event loop=], and that we are now queueing an additional <var ignore=''>callbackTask</var> to be run when the original [=task=] has completed.

  <div algorithm>
    To <dfn>store the index for a saved query</dfn>, given {{Window}} |window|, [=/navigable=] |navigable|, [=url/origin=] |origin|, [=/URL=] |moduleURLRecord|, [=string=] |operationName|, [=string=] |savedQueryName|, and {{unsigned long}} |index|:

    1. Let |topLevelTraversable| be the result of running [=get the top-level traversable=] for |navigable|.
    1. [=Assert=] that |topLevelTraversable|'s [=page budget=] is not null.
    1. Let |queryData| be |topLevelTraversable|'s [=page budget=]'s [=saved query map=][(|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|)].
    1. [=map/Set=] |queryData|'s [=saved query data/index=] to |index|.
    1. [=While=] |queryData|'s [=saved query data/callbacks=] is not empty:
        1. [=queue/Dequeue=] the next [=task=] |callbackTask| from |queryData|'s [=saved query data/callbacks=], and [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to run the steps of |callbackTask|, given |index|.
  </div>

  <div algorithm>
    To <dfn>obtain a callback to process the saved index result</dfn>, given {{Window}} |window|, [=/list=] of {{SharedStorageUrlWithMetadata}}s |urlList|, [=promise=] |promise|, perform the following steps. They return an algorithm.

    1. Let |processIndexTask| be an algorithm to perform the following steps, given an {{unsigned long}} |index|:
        1. If |index| is greater than |urlList|'s [=list/size=], then [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}.

                Note: The result index is beyond the input urls' size. This violates the selectURL() protocol, and we don't know which url should be selected.
        1.  Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=resolve=] |promise| with |index|.
    1. Return |processIndexTask|.
  </div>

  #### Charging the [=Top-Level Traversable=] Entropy Budgets #### {#charge-top-trav-budgets}

 <div algorithm>
    To <dfn>charge shared storage top-level traversable budgets</dfn> given a [=/navigable=] |navigable|, [=site=] |site|, and double |pendingBits|, run the following steps:

    1. Let |topLevelTraversable| be the result of running [=get the top-level traversable=] for |navigable|.
    1. [=Assert=] that |topLevelTraversable|'s [=page budget=] is not null.
    1. If |pendingBits| is greater than |topLevelTraversable|'s [=page budget=]'s [=overall budget=], then return false and abort these steps.
    1. If |topLevelTraversable|'s [=page budget=]'s [=site budget map=] does not [=map/contain=] |site|, then [=map/set=] |topLevelTraversable|'s [=page budget=]'s [=site budget map=] [|site|] to [=site page entropy allowance=].
    1. If |pendingBits| is greater than |topLevelTraversable|'s [=page budget=]'s [=site budget map=] [|site|], then return false and abort these steps.
    1. Decrement |topLevelTraversable|'s [=page budget=]'s [=site budget map=] [|site|] by |pendingBits|.
    1. Decrement |topLevelTraversable|'s [=page budget=]'s [=overall budget=] by |pendingBits|.
    1. Return true.

  </div>

Shared Storage's Backend {#backend}
===================================
The Shared Storage API will integrate into the [=Storage Model|Storage API=] as below, via [=storage endpoint/registering=] a new [=storage endpoint=].

  ## Monkey Patch for the [=Storage Model=] ## {#storage-monkey-patch}

  This standard will add a new [=storage type=] "`shared`" to the [=Storage Model=].

  A [=user agent=] holds a [=shared storage shed=] for [=storage endpoints=] of [=storage type|type=] "`shared`".

  This standard will also [=storage endpoint/register=] a [=storage endpoint=] of [=storage type|type=] "`shared`" with [=storage identifier=] "`sharedStorage`" and [=storage endpoint/quota=] `5`<sup>`4`</sup> `*` `2`<sup>`16`</sup> bytes (i.e. 39.0625 mebibytes).

  <span class=todo>This [=storage endpoint/quota=] is calculated from the current implementation. Consider bringing the current implementation in line with the spec for [=storage endpoints=] "`localStorage`" and "`sessionStorage`", i.e. `5 * 2`<sup>`20`</sup> bytes. For example, decreasing the per-origin entry limit from 10,000 to 1,280 would achieve this.</span>

  A <dfn>shared storage shed</dfn> is a [=map=] of [=/origins=] to [=storage shelf|storage shelves=]. It is initially empty.

  Note: Unlike [=storage sheds=], whose keys are [=storage keys=], [=shared storage sheds=] use [=/origins=] as keys directly. [=Shared storage=] will be intentionally excluded from [=client-side storage partitioning=].

  For each [=storage shelf=] in a [=shared storage shed=], the [=storage shelf=]'s [=bucket map=] currently has only a single key of "`default`".

  A [=user agent=]'s [=shared storage shed=] holds all <dfn>shared storage</dfn> data.

  <div algorithm>
    To <dfn>obtain a shared storage shelf</dfn>, given a [=shared storage shed=] |shed|, an [=environment settings object=] |environment|, and an [=/origin=] |origin|, run these steps:

    1. Let |allowedInOpaqueOriginContext| be false.
    1. If the result of running [=determine whether shared storage is allowed by context=] given |environment|, |origin|, and |allowedInOpaqueOriginContext| is false, then return failure.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |environment| and |origin| is false, then return failure.
    1. If |shed|[origin] does not exist, then set |shed|[origin] to the result of running [=create a shared storage shelf=] with [=storage type|type=] "`shared`".
    1. Return |shed|[|origin|].
  </div>

  <div algorithm>
    To <dfn>create a shared storage shelf</dfn>, run these steps:

    1. Let |shelf| be a new [=storage shelf=].
    1. Set |shelf|'s [=bucket map=]["`default`"] to the result of running [=create a shared storage bucket=].
    1. Return |shelf|.
  </div>

  A <dfn>shared storage bucket</dfn> is a [=storage bucket=] in one of a [=shared storage shed=]'s [=storage shelf|shelves=].

  <div algorithm>
    To <dfn>create a shared storage bucket</dfn>, run these steps:

    1. Let |endpoint| be the [=storage endpoint=] with [=storage identifier=] "`sharedStorage`".
    1. Let |bucket| be a new [=shared storage bucket=].
    1. Set |bucket|'s [=bottle map=]["`sharedStorage`"] to a new [=storage bottle=] whose [=storage bottle/quota=] is |endpoint|'s [=storage endpoint/quota=].
    1. Return |bucket|.
  </div>

  Note: Currently, a [=shared storage bucket=]'s [=bottle map=] has [=map/size=] `1`, since there is only one [=storage endpoint=] [=storage endpoint/registered=] with [=storage type|type=] "`shared`".

  <div algorithm>
    To <dfn>obtain a shared storage bottle map</dfn>, given an [=environment settings object=] |environment| and an [=/origin=] |origin|, run these steps:

    1. Let |shed| be the [=user agent=]'s [=shared storage shed=].
    1. Let |shelf| be the result of running [=obtain a shared storage shelf=] with |shed|, |environment|, and |origin|.
    1. If |shelf| is failure, then return failure.
    1. Let |bucket| be |shelf|'s [=bucket map=]["`default`"].
    1. Let |bottle| be |bucket|'s [=bottle map=]["`sharedStorage`"].
    1. Let |proxyMap| be a new [=storage proxy map=] whose [=backing map=] is |bottle|'s [=map=].
    1. [=set/Append=] |proxyMap| to |bottle|'s [=proxy map reference set=].
    1. Return |proxyMap|.
  </div>

  ## The [=Shared Storage Database=] ## {#database}

  A [=/browsing context=] has an associated <dfn>shared storage database</dfn>, which provides methods to [=shared storage database/store an entry in the database|store=], [=shared storage database/retrieve an entry from the database|retrieve=], [=shared storage database/delete an entry from the database|delete=], [=shared storage database/clear all entries in the database|clear=], and [=shared storage database/purge expired entries from the database|purge expired=] data, and additional methods as below. The data in the [=shared storage database|database=] take the form of [=shared storage database/entry|entries=].

  Each [=shared storage database=] has a <dfn for="shared storage database">shared storage database queue</dfn>, which is the result of [=start a new parallel queue|starting a new parallel queue=]. This [=shared storage database queue|queue=] is used to run each of the [=shared storage database=]'s methods when calls to them are initiated from that [=/browsing context=].

  Each <dfn for="shared storage database">entry</dfn> consists of a [=entry/key=] and a [=entry/value struct=].

  An [=shared storage database/entry=]'s <dfn for=entry>key</dfn> is a [=string=].

  [=User agents=] may specify the <dfn for=key>maximum length</dfn> of a [=entry/key=].

  Since [=entry/keys=] are used to organize and efficiently retrieve [=shared storage database/entry|entries=], [=entry/keys=] must appear at most once in any given [=shared storage database=].

  An [=shared storage database/entry=]'s <dfn for=entry>value struct</dfn> is a [=struct=] composed of [=string=] <dfn for="value struct">value</dfn> and {{DOMHighResTimeStamp}} <dfn for="value struct">last updated</dfn> (from the [=Unix Epoch=]).

  [=User agents=] may specify the <dfn for=value>maximum length</dfn> of a [=value struct/value=].

  [=User agents=] may specify a <dfn>default entry lifetime</dfn>, the default [=duration=] between when an [=shared storage database/entry=] is [=shared storage database/store an entry in the database|stored=] and when it expires. If the [=user agent=] specifies a [=default entry lifetime=], then it should have a timer periodically [=shared storage database/purge expired entries from the database=].

  ## The [=Shared Storage Database|Database=] Algorithms ## {#database-algorithms}

  <div algorithm>
    To <dfn for="shared storage database">store an entry in the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, an [=environment settings object=] |environment|, a [=entry/key=] |key|, and a [=value struct/value=] |value|, run the following steps on |queue|:

    1. Let |valueStruct| be a new [=entry/value struct=].
    1. Set |valueStruct|'s [=value struct/value=] to |value|.
    1. Let |currentTime| be the |environment|'s [=environment settings object/current wall time=].
    1. Set |valueStruct|'s [=value struct/last updated=] to |currentTime|.
    1. [=map/Set=] |databaseMap|[|key|] to |valueStruct|.
    1. If [=an exception was thrown=], then return false.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Otherwise, return true.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">retrieve an entry from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, an [=environment settings object=] |environment|, and a [=entry/key=] |key|, run the following steps on |queue|:

    1. If |databaseMap| does not [=map/contain=] |key|, return undefined.
    1. Let |valueStruct| be the result of running [=map/Get=] on |databaseMap| with |key|.
    1. If [=an exception was thrown=], then return failure.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. If the result of running [=shared storage database/determine whether an entry is expired=] with |environment| and |valueStruct| is true, return undefined.
    1. Return |valueStruct|'s [=value struct/value=].
  </div>

  <div algorithm>
    To <dfn for="shared storage database">delete an entry from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, and a [=entry/key=] |key|, run the following steps on |queue|:

    1. [=map/Remove=] |databaseMap|[|key|].
    1. If [=an exception was thrown=], then return false.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Return true.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">clear all entries in the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue| and a [=storage proxy map=] |databaseMap|, run the following steps on |queue|:

    1. Run [=map/Clear=] on |databaseMap|.
    1. If [=an exception was thrown=], then return false.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Return true.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">retrieve all entries from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue| and a [=storage proxy map=] |databaseMap|, run the following steps on |queue|:

    1. Let |values| be the result of running [=map/getting the values=] on |databaseMap|.
    1. If [=an exception was thrown=], then return failure.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Return |values|.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">count entries in the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue| and a [=storage proxy map=] |databaseMap|, run the following steps on |queue|:

    1. Let |size| be |databaseMap|'s [=map/size=].
    1. If [=an exception was thrown=], then return failure.

          Note: Errors with [=storage proxy map=] |databaseMap|'s members are possible depending on its implementation.
    1. Return |size|.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">purge expired entries from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, and an [=environment settings object=] |environment|, run the following steps on |queue|:

    1. [=map/iterate|For each=] [=entry/key=] |key| in |databaseMap|:
        1. Let |valueStruct| be the result of running [=map/Get=] on |databaseMap| with |key|.
        1. If [=an exception was thrown=], then return false.
        1. If the result of running [=shared storage database/determine whether an entry is expired=] with |environment| and |valueStruct| is true, [=map/Remove=] |databaseMap|[|key|].
        1. If [=an exception was thrown=], then return false.
    1. Return true.
  </div>

  <div algorithm>

    To <dfn for="shared storage database">determine whether an entry is expired</dfn>, given an [=environment settings object=] |environment| and a [=entry/value struct=] |valueStruct|, run the following steps:

    1. Let |lastUpdated| be |valueStruct|'s [=value struct/last updated=].
    1. Let |lifetime| be [=user agent=]'s [=default entry lifetime=].
    1. Let |expiration| be the sum of |lastUpdated| and |lifetime|.
    1. Let |currentTime| be the |environment|'s [=environment settings object/current wall time=].
    1. If |expiration| is less than or equal to |currentTime|, return true.
    1. Otherwise, return false.
  </div>


Extension to the {{Window}} interface {#window-extension}
=====================================================
Each {{Window}} object has an associated {{SharedStorage}} instance {{Window/sharedStorage}}, which is created alongside the {{Window}} if [=Shared Storage=] is enabled, with the [=Window/sharedStorage getter|getter=] below.

<xmp class='idl'>
  partial interface Window {
    [SecureContext] readonly attribute SharedStorage? sharedStorage;
  };
</xmp>

<div algorithm>
    The <dfn for="Window">{{Window/sharedStorage}} getter</dfn> steps are:

    1. If [=this=] is [=fully active=], return [=this=]'s {{Window/sharedStorage}}.
    1. Otherwise, return null.
</div>


The {{SharedStorage}} Interface {#shared-storage-interface}
==========================================================
The {{SharedStorage}} interface is exposed to {{Window}} and {{SharedStorageWorklet}}.

Methods that allow the setting and/or deleting of data are exposed to both the {{Window}} and the {{SharedStorageWorklet}}, although their implementations may vary depending on their [=environment=]. This makes it possible to modify the data in Shared Storage from multiple contexts.

Meanwhile, methods for posting operations to run inside {{SharedStorageWorkletGlobalScope}} (i.e. {{SharedStorageWorklet/selectURL()}} and {{SharedStorageWorklet/run()}}), along with the {{SharedStorage/worklet}} attribute which is used to call {{Worklet/addModule()}}, are exposed to the {{Window}} only, as these are the means by which the {{Window}} interacts with the {{SharedStorageWorklet}}.

On the other hand, methods for getting data from the [=shared storage database=] are exposed to the {{SharedStorageWorklet}} only, in order to carefully control the flow of data read from the [=shared storage database|database=].

<xmp class='idl'>
  [Exposed=(Window,SharedStorageWorklet)]
  interface SharedStorage {
    Promise<any> set(DOMString key,
                     DOMString value,
                     optional SharedStorageSetMethodOptions options = {});
    Promise<any> append(DOMString key,
                        DOMString value);
    Promise<any> delete(DOMString key);
    Promise<any> clear();

    [Exposed=Window]
    Promise<SharedStorageResponse> selectURL(DOMString name,
                                 sequence<SharedStorageUrlWithMetadata> urls,
                                 optional SharedStorageRunOperationMethodOptions options = {});

    [Exposed=Window]
    Promise<any> run(DOMString name,
                     optional SharedStorageRunOperationMethodOptions options = {});

    [Exposed=Window]
    Promise<SharedStorageWorklet> createWorklet(USVString moduleURL, optional SharedStorageWorkletOptions options = {});

    [Exposed=Window]
    readonly attribute SharedStorageWorklet worklet;

    [Exposed=SharedStorageWorklet]
    Promise<DOMString> get(DOMString key);

    [Exposed=SharedStorageWorklet]
    Promise<unsigned long> length();

    [Exposed=SharedStorageWorklet]
    Promise<double> remainingBudget();

    [Exposed=SharedStorageWorklet]
    async iterable<DOMString, DOMString>;
  };

  dictionary SharedStorageSetMethodOptions {
    boolean ignoreIfPresent = false;
  };

  dictionary SharedStoragePrivateAggregationConfig {
    USVString aggregationCoordinatorOrigin;
    USVString contextId;
    [EnforceRange] unsigned long long filteringIdMaxBytes;
  };

  dictionary SharedStorageRunOperationMethodOptions {
    object data;
    boolean resolveToConfig = false;
    boolean keepAlive = false;
    SharedStoragePrivateAggregationConfig privateAggregationConfig;
    DOMString savedQuery;
  };

  dictionary SharedStorageWorkletOptions : WorkletOptions {
    USVString dataOrigin = "context-origin";
  };
</xmp>

## Run Operation Methods on {{SharedStorage}} ## {#run-op-shared-storage}

  <div algorithm>
    The <dfn method for="SharedStorage">selectURL(|name|, |urls|, |options|)</dfn> method steps are:

    1. Let |sharedStorage| be [=this=].
    1. Return |sharedStorage|.{{SharedStorage/worklet}}.{{SharedStorageWorklet/selectURL()|selectURL}}(|name|, |urls|, |options|).
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">run(|name|, |options|)</dfn> method steps are:

    1. Let |sharedStorage| be [=this=].
    1. Return |sharedStorage|.{{SharedStorage/worklet}}.{{SharedStorageWorklet/run()|run}}(|name|, |options|).
  </div>

## Create a new worklet via {{SharedStorage}} ## {#create-a-new-worklet-via-shared-storage}

  <div algorithm>
    The <dfn method for="SharedStorage">createWorklet(|moduleURL|, |options|)</dfn> method steps are:

    1. Let |sharedStorageWorklet| be a new {{SharedStorageWorklet}}.
    1. If |options| [=map/contains=] |dataOrigin|, set |sharedStorageWorklet|'s [=SharedStorageWorklet/data origin=] to |options|[|dataOrigin|].
    1. Let |addModulePromise| be the result of invoking sharedStorageWorklet.{{Worklet/addModule()|addModule}}(|moduleURL|, |options|).
    1. Let |resultPromise| be a new [=promise=].
    1. [=Upon fulfillment=] of |addModulePromise|, [=resolve=] |resultPromise| to |sharedStorageWorklet|.
    1. [=Upon rejection=] of |addModulePromise|, [=reject=] |resultPromise| with a {{TypeError}}.
    1. Return |resultPromise|.
  </div>

## Setter/Deleter Methods ## {#setter}

  <div algorithm>
    The <dfn method for="SharedStorage">set(|key|, |value|, |options|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |value|'s [=string/length=] exceeds the [=value/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. If |options|["`ignoreIfPresent`"] is true:
            1. Let |currentValue| be the result of running [=shared storage database/retrieve an entry from the database=] with |queue|, |databaseMap|, |environment|, and |key|.
            1. If |currentValue| is failure and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
                1. Abort these steps.
            1. If |currentValue| is not undefined:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
                1. Abort these steps.
        1. Let |result| be the result of running [=shared storage database/store an entry in the database=] with |queue|, |databaseMap|, |environment|, |key|, and |value|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">append(|key|, |value|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |value|'s [=string/length=] exceeds the [=value/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |currentValue| be the result of running [=shared storage database/retrieve an entry from the database=] with |queue|, |databaseMap|, |environment|, and |key|.
        1. If |currentValue| is failure:
            1. If |globalObject| is a {{Window}}:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
            1. Else:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. If |currentValue| is not undefined:
            1. Let |list| be a new [=/list=].
            1. [=list/Append=] |currentValue| to |list|.
            1. [=list/Append=] |value| to |list|.
            1. Set |value| to the result of running [=string/concatenate=] on |list|.
        1. Let |result| be the result of running [=shared storage database/store an entry in the database=] with |queue|, |databaseMap|, |environment|, |key|, and |value|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">delete(|key|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |result| be the result of running [=shared storage database/delete an entry from the database=] with |queue|, |databaseMap|, and |key|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">clear()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |result| be the result of running [=shared storage database/clear all entries in the database=] with |queue| and |databaseMap|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

## Getter Methods ## {#getter}

  <div algorithm>
    The <dfn method for="SharedStorage">get(|key|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |value| be the result of running [=shared storage database/retrieve an entry from the database=] with |queue|, |databaseMap|, |environment|, and |key|.
        1. If |value| is failure, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise, if |value| is undefined, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
        1. Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |value|.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">length()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |numEntries| be the result of running [=shared storage database/count entries in the database=] with |queue| and |environment|.
        1. If |numEntries| is failure, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |numEntries|.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">remainingBudget()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |allowedInOpaqueOriginContext| be false.
    1. If the result of running [=determine whether shared storage is allowed by context=] given |environment|, |realm|'s [=realm/settings object=]'s [=environment settings object/origin=], and |allowedInOpaqueOriginContext| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |site| be the result of running [=obtain a site=] with |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. [=Assert=]: |site| is not an [=opaque origin=].
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |remainingBudget| be the result of running [=determine remaining navigation budget=] with |site|.
        1. [=Resolve=] [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |remainingBudget|.
    1. Return |promise|.
  </div>

## Iteration ## {#iteration}

Each {{SharedStorage}} [=async iterator=] instance has a [=queue=] <dfn for=SharedStorageIterator>pending entries</dfn> of [=shared storage database/entry|entries=], initially [=list/empty=].

Each {{SharedStorage}} [=async iterator=] instance also has a {{boolean}} <dfn for=SharedStorageIterator>error</dfn>, initially false.

The [=SharedStorageIterator/asynchronous iterator initialization steps=] and [=SharedStorageIterator/get the next iteration result=] algorithms defined below correspond to those referred to as the [=/asynchronous iterator initialization steps=] and [=/get the next iteration result=] algorithms in the [=Web IDL Standard=].

  <div algorithm>
    The <dfn for="SharedStorageIterator">asynchronous iterator initialization steps</dfn> for a {{SharedStorage}} [=async iterator=] |iterator| are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |entries| be the result of running [=shared storage database/retrieve all entries from the database=] with |queue| and |environment|.
        1. If |entries| is failure, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |entries|.
    1. [=Upon fulfillment=] of |promise|, run the following:
        1. Let |promiseEntries| be the value of |promise|.
        1. [=map/iterate|For each=] [=shared storage database/entry=] |entry| in |promiseEntries|, [=queue/enqueue=] |entry| in |iterator|'s [=SharedStorageIterator/pending entries=].
    1. [=Upon rejection=] of |promise|, set |iterator|'s [=SharedStorageIterator/error=] to true.
  </div>

  <div algorithm>
    To<dfn for="SharedStorageIterator">get the next iteration result</dfn>, given a {{SharedStorage}}'s [=async iterator=] |iterator|, run the following steps:

    1. Let |promise| be a new [=promise=].
    1. [=Enqueue the following steps=]:
        1. If |iterator|'s [=SharedStorageIterator/error=] is true, return a [=promise rejected=] with a {{TypeError}}.
        1. If |iterator|'s [=SharedStorageIterator/pending entries=] is [=list/empty=]:
            1. Create an object |doneObject|.
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |doneObject|.
            1. Abort these steps.
        1. Otherwise, let |entry| be the result of [=queue/dequeue|dequeueing=] from |iterator|'s [=SharedStorageIterator/pending entries=].
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |entry|.
    1. Return |promise|.
  </div>

Triggering Operations Via HTTP Response Header {#http}
======================================================

While setter and deleter operations (e.g.. {{SharedStorage/set()}}, {{SharedStorage/append()}}, {{SharedStorage/delete()}}, {{SharedStorage/clear()}}) can be initiated via the above APIs for {{Window}} or {{SharedStorageWorkletGlobalScope}}, setter/deleter operations can alternatively be triggered via HTTP [=/response=] [=header=].

This will require monkey patches to the HTML and Fetch specifications.

# HTML Monkey Patches # {#html-monkeypatches}

## {{HTMLSharedStorageWritableElementUtils/sharedStorageWritable}} & <{iframe/sharedstoragewritable}> Attributes ## {#html-attr}

Define the following [=interface mixin=] and include it in the IDL [=interfaces=] for {{HTMLIFrameElement}} and {{HTMLImageElement}}:

<xmp class='idl'>
  interface mixin HTMLSharedStorageWritableElementUtils {
    [CEReactions, SecureContext] attribute boolean sharedStorageWritable;
  };

  HTMLIFrameElement includes HTMLSharedStorageWritableElementUtils;
  HTMLImageElement includes HTMLSharedStorageWritableElementUtils;
</xmp>

Add the following [=boolean attributes|boolean content attributes=]:

: <{iframe}>
:: <dfn for="iframe" element-attr>sharedstoragewritable</dfn>
: <{img}>
:: <dfn for="img" element-attr>sharedstoragewritable</dfn>

The IDL attribute {{HTMLSharedStorageWritableElementUtils/sharedStorageWritable}} must [=reflect=] the respective [=content attribute=] of the same name.

## HTML Algorithm Modifications ## {#html-algo}

### Modification to [=Update the image data=] Algorithm ### {#mod-update-img}

  <div algorithm="modification-to-update-the-image-data">
    Modify [=update the image data=] as follows:

    After the step

    > Set |request|'s [=request/priority=] to the current state...

    add the step

    1. If the element has the <{img/sharedstoragewritable}> attribute present, set |request|'s [=request/shared storage writable=] to true.
  </div>

### Modification to [=Create navigation params by fetching=] Algorithm ### {#mod-create-nav}

  <div algorithm="modification-to-create-navigation-params-by-fetching">
    Modify [=create navigation params by fetching=] as follows:

    After the step

    > Let |request| be a new [=Request/request=], with ...

    add the step

    1. If <var ignore=''>navigable</var>'s [=container=] is an <{iframe}> element, and if it has a <{iframe/sharedstoragewritable}> [=content attribute=], then set |request|'s [=request/shared storage writable=] to true.
  </div>

# Fetch Monkey Patches # {#fetch-monkeypatches}

## {{RequestInit/sharedStorageWritable}} Key ## {#fetch-attr}

  A [=/request=] has an associated [=/boolean=] <dfn for=request>shared storage writable</dfn>. Unless stated otherwise it is false.

  The {{RequestInit}} dictionary contains a {{RequestInit/sharedStorageWritable}} key:

<xmp class='idl'>
  partial dictionary RequestInit {
    boolean sharedStorageWritable;
  };
</xmp>

## Fetch Algorithm Modifications ## {#mod-fetch-algo}

### Modification to the [=request-constructor|Request Constructor=] Algorithm ### {#mod-request-con}

  <div algorithm="modification-to-request-constructor">
    Modify the [=request-constructor|new Request(input, init) constructor=] as follows:

    Before the step

    > Set this's [=Request/request=] to |request|.

    add the step

    1. If <var ignore=''>init</var>["{{RequestInit/sharedStorageWritable}}"] [=map/exists=], then set |request|'s [=request/shared storage writable=] to it.
  </div>

### Modification to [=HTTP network or cache fetch=] Algorithm ### {#mod-http-net-fetch}

  <div algorithm="modification-to-http-network-or-cache-fetch">
    Modify the [=HTTP network or cache fetch=] algorithm as follows:

    Before the step

    > Modify |httpRequest|'s [=request/header list=] per HTTP. ...

    add the step

    1. [=Append or modify a Sec-Shared-Storage-Writable request header=] for |httpRequest|.
  </div>

### Modification to [=HTTP fetch=] Algorithm ### {#mod-http-fetch}

  <div algorithm="modification-to-http-fetch">
    Modify the [=HTTP fetch=] algorithm as follows:

    Before the step

    > If |internalResponse|'s [=response/status=] is a [=redirect status=]: ...

    add the steps

    1. If |request|'s [=request/destination=] is "sharedstorageworklet":
        1. Let |dataOriginValue| be the result of [=header list/getting=] [:Sec-Shared-Storage-Data-Origin:] from |request|'s [=request/header list=].
        1. If |dataOriginValue| is not null, then:
            1. Let |dataOriginUrl| be the result of running a [=URL parser=] on |dataOriginValue|.
            1. [=Assert=] that |dataOriginUrl| is not failure.
            1. [=Assert=] that |request|'s [=request/origin=] is not "<code>client</code>".
            1. [=Assert=] that |request|'s [=request/origin=] and |request|'s [=request/URL=]'s [=url/origin=] are not [=same origin=].
            1. Let |allowed| be true.
            1. If |dataOriginUrl|'s [=url/origin=] and |request|'s [=request/URL=]'s [=url/origin=] are [=same origin=]:
                1. Let |responseHeaders| be |internalResponse|'s [=response/header list=].
                1. Let |allowed| be the result of running [=get a structured field value=] algorithm given [:Shared-Storage-Cross-Origin-Worklet-Allowed:], "item", and |responseHeaders| as input.
            1. If |allowed| is false, then return a [=network error=].
    1. [=Handle a Shared-Storage-Write response=], given [=/response=] |internalResponse| and [=/request=] <var ignore=''>request</var> as input.
  </div>

## Shared Storage HTTP Headers ## {#headers}

### [:Sec-Shared-Storage-Data-Origin:] Request Header ### {#data-origin-request-header}

  This specification defines a <dfn http-header>Sec-Shared-Storage-Data-Origin</dfn> HTTP [=/request=] [=header=].

  The [:Sec-Shared-Storage-Data-Origin:] [=/request=] [=header=] whose [=header/value=] is a [=string=].

  When the [:Sec-Shared-Storage-Data-Origin:] is sent during the [fetch a worklet/module worker script graph](#fetch-a-worklet-script-graph-monkey-patch) algorithm, its [=header/value=] is set to the serialized [=url/origin=] that owns the worklet's shared storage data.

### [:Shared-Storage-Cross-Origin-Worklet-Allowed:] Response Header ### {#cross-origin-response-header}

  This specification defines a <dfn http-header>Shared-Storage-Cross-Origin-Worklet-Allowed</dfn> HTTP [=/response=] [=header=].

  The [:Shared-Storage-Cross-Origin-Worklet-Allowed:] [=/response=] [=header=] is a [=Structured Header=] whose value must be a [=structured header/Boolean=].

  When a [=/response=] has [:Shared-Storage-Cross-Origin-Worklet-Allowed:] with value true, the worklet script's server has given permission for a cross-origin site to create a worklet using shared storage data from the worklet script's [=url/origin=].

### [:Sec-Shared-Storage-Writable:] Request Header ### {#writable-request-header}

  This specification defines a <dfn http-header>Sec-Shared-Storage-Writable</dfn> HTTP [=/request=] [=header=].

  The [:Sec-Shared-Storage-Writable:] [=/request=] [=header=] is a [=Structured Header=] whose value must be a [=structured header/Boolean=].

  When a [=/request=] sets [:Sec-Shared-Storage-Writable:] to true its [=/response=] will be able to write to [=shared storage=].

### [:Shared-Storage-Write:] Response Header ### {#write-response-header}

  This specification defines a <dfn http-header>Shared-Storage-Write</dfn> HTTP [=/response=] [=header=].

  The [:Shared-Storage-Write:] [=/response=] [=header=] is a [=Structured Header=] whose value must be a [=structured header/List=]. The following list members are defined. [=structured header/Tokens=] and [=structured header/Strings=] holding the same sequence of characters are considered equivalent. [=structured header/Byte Sequences=] representing [=UTF-8 encoded=] bytes are also allowed, in order to provide functionality for writing and deleting non-[=ASCII=] [=Unicode=] keys and values via HTTP headers.

  Unknown list members, including types that are neither strings nor [=structured header/Byte Sequences=], are skipped, and the rest of the list is processed as if they weren't present. Members are also skipped if they're missing required [=structured header/parameters=] or those parameters have unexpected types.

    * `set`
        - Required [=structured header/parameters=]:
            * `key` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
            * `value` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
        - Optional [=structured header/parameters|parameter=]:
            * `ignore_if_present` ([=structured header/Boolean=])
        - If the [=structured header/parameter=] value of `ignore_if_present` is null or false, or if the [=structured header/parameter=] value of `key` does not already exist in the [=shared storage database=] for the responding server's [=/origin=], `set` writes the [=shared storage database/entry=] consisting of the [=structured header/parameter=] values for `key` and `value`, as the [=shared storage database/entry=]'s [=entry/key=] and [=shared storage database/entry=]'s [=entry/value struct=]'s [=value struct/value=] respectively, in the [=shared storage database=] for the responding server's [=/origin=].
        - If the [=structured header/parameter=] value of `ignore_if_present` is true and the [=structured header/parameter=] value of `key` already exists in the [=shared storage database=] for the responding server's [=/origin=], then `set` is a no-op.
    * `append`
        - Required [=structured header/parameters=]:
            * `key` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
            * `value` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
        - If the [=structured header/parameter=] value of `key` already exists in the [=shared storage database=] for the responding server's [=/origin=], then `append` updates the [=entry/key=]'s [=shared storage database/entry=]'s [=entry/value struct=]'s [=value struct/value=] by appending the [=structured header/parameter=] value for `value` to it.
        - If the [=structured header/parameter=] value of `key` does not already exist in the [=shared storage database=] for the responding server's [=/origin=], `append` is equivalent to `set` with `ignore_if_present` false, i.e. `append` writes the [=shared storage database/entry=] consisting of the [=structured header/parameter=] values for `key` and `value`, as the [=shared storage database/entry=]'s [=entry/key=] and [=shared storage database/entry=]'s [=entry/value struct=]'s [=value struct/value=] respectively, in the [=shared storage database=] for the responding server's [=/origin=].
    * `delete`
        - Required [=structured header/parameters|parameter=]:
            * `key` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
        - `delete` erases any [=shared storage database/entry=] in the [=shared storage database=] for the responding server's [=/origin=] for which the [=entry/key=] is equal to the [=structured header/parameter=] value of `key`.
    * `clear`
        - `clear` erases all [=shared storage database/entries=] in the [=shared storage database=] for the responding server's [=/origin=].

    Note: We allow [=structured header/Byte Sequences=] in order to accommodate Unicode keys and values. Any [=structured header/Byte Sequence=] will be assumed to be [=UTF-8 encoded=] and will fail to parse otherwise.

<span class=todo>Add examples.</span>

## Shared Storage Fetch-Related Algorithms ## {#ss-fetch-algo}

  <div algorithm>
    To <dfn>determine whether a request can currently use shared storage</dfn>, given a [=/request=] |request|, perform the following steps:

    1. Let |window| to |request|'s [=request/window=].
    1. If |window| is not an [=environment settings object=] whose [=global object=] is a {{Window}}, return false.
    1. Let |allowedInOpaqueOriginContext| be true.
    1. If the result of running [=determine whether shared storage is allowed by context=] given |window|, |request|'s [=request/current URL=]'s [=url/origin=], and |allowedInOpaqueOriginContext| is false, return false.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |window| and |request|'s [=request/current URL=]'s [=url/origin=] is false, return false.

    Issue: The [=determine whether a request can currently use shared storage=] algorithm needs to take into account "opt-in features", as articulated in <a href="https://github.com/w3c/webappsec-permissions-policy/pull/499">https://github.com/w3c/webappsec-permissions-policy/pull/499</a>.
  </div>

  <div algorithm>
    To <dfn>append or modify a Sec-Shared-Storage-Writable request header</dfn>, given a [=/request=] |request|, perform the following steps:

    1. If |request|'s [=request/shared storage writable=] is not true, then return.

        Note: On a redirect, it is possible for |request|'s [=request/shared storage writable=] to be true, but for the redirect not to have permission to use shared storage, making the result of running [=determine whether a request can currently use shared storage=] on |request| false.

    1. If the result of running [=determine whether a request can currently use shared storage=] on |request| is false, [=header list/delete=] [:Sec-Shared-Storage-Writable:] from |request|'s [=request/header list=].
    1. Otherwise, [=header list/set a structured field value=] ([:Sec-Shared-Storage-Writable:], true) in |request|'s [=request/header list=].
  </div>

  <div algorithm>
    To <dfn>handle a Shared-Storage-Write response</dfn>, given a [=/response=] |response| and a [=/request=] |request|, perform the following steps:

    1. Let |sharedStorageWritable| the result of running [=get a structured field value=] algorithm given [:Sec-Shared-Storage-Writable:], "`item`", and |request|'s [=request/header list=] as input.
    1. If |sharedStorageWritable| is null, or |sharedStorageWritable| is not a [=structured header/Boolean=], or the value of |sharedStorageWritable| is false, return.
    1. Let |window| to |request|'s [=request/window=].
    1. [=Assert=]: |window| is an [=environment settings object=] whose [=global object=] is a {{Window}}.
    1. Let |sharedStorage| be |window|'s [=global object=]'s {{Window/sharedStorage}}.
    1. If |sharedStorage| is null, then return.
    1. Let |list| be |response|'s [=response/header list=].
    1. Let |operationsToParse| be the result of running [=get a structured field value=] algorithm given [:Shared-Storage-Write:], "`list`", and |list| as input.
    1. If |operationsToParse| is null or [=list/empty=], then return.
    1. For each tuple (|item|, |parameters|) in |operationsToParse|, perform the following steps:
        1. If |item| is an [=structured header/Inner List=], continue.
        1. [=Assert=]: |item| is an [=structured header/Bare Item=].
        1. Let |operationString| be the result of running [=get the string value=] for |item|.
        1. If |operationString| is failure, continue.
        1. Switch on |operationString|:
            <dl class=switch>
              <dt> If |operationString| is "`clear`":
                 <dd> Perform the following steps:
                     1. Run |sharedStorage|.{{SharedStorage/clear()|clear}}().
                     1. Continue.
              <dt> If |operationString| is "`delete`":
                <dd> Perform the following steps:
                     1. Let |key| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`key`".
                     1. If |key| is not null, run |sharedStorage|.{{SharedStorage/delete()|delete}}(|key|).
                     1. Continue.
              <dt> If |operationString| is "`append`":
                <dd> Perform the following steps:
                     1. Let |key| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`key`".
                     1. If |key| is null, continue.
                     1. Let |value| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`value`".
                     1. If |value| is not null, run |sharedStorage|.{{SharedStorage/append()|append}}(|key|, |value|).
                     1. Continue.
              <dt> If |operationString| is "`set`":
                <dd> Perform the following steps:
                     1. Let |key| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`key`".
                     1. If |key| is null, continue.
                     1. Let |value| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`value`".
                     1. If |value| is null, continue.
                     1. Let |options| be a new {{SharedStorageSetMethodOptions}}.
                     1. If the result of running [=obtain a boolean parameter value=] with |parameters| and "`ignore_if_present`" is true, [=map/set=] |options|["`ignoreIfPresent`"] to true.
                     1. Run |sharedStorage|.{{SharedStorage/set()|set}}(|key|, |value|, |options|).
                     1. Continue.
              <dt> If |operationString| is anything else:
                <dd> Continue.
            </dl>
  </div>

  <div algorithm>
    To <dfn>check if string-like</dfn> for a [=structured header/Bare Item=] |item|, do the following:
    1. If the |item| is a [=structured header/String=], [=structured header/Token=], or [=structured header/Byte Sequence=], return true.
    1. Otherwise, return false.
  </div>

  <div algorithm>
    To <dfn>get the string value</dfn> for a [=structured header/Bare Item=] |item|, do the following:
    1. If the result of running [=check if string-like=] on |item| is false, return failure.
    1. Switch on the type of |item|:
        <dl class=switch>
          <dt> If |item| is a [=structured header/Token=]:
          <dt> If |item| is a [=structured header/String=]:
            <dd> Perform the following steps:
                1. [=Assert=]: |item| is an [=ASCII string=].
                1. Return |item|.
          <dt> If |item| is a [=structured header/Byte Sequence=]:
            <dd> Perform the following steps:
                1. Let |fromUTF8| be the result of running [=UTF-8 decode=] on |item|.
                1. If |fromUTF8| is an error, return null.
                1. Return |fromUTF8|.
        </dl>
  </div>

  <div algorithm>
    To <dfn>obtain a string-like parameter value</dfn>, given a [=structured header/parameters|parameters map=] |parameters| and a [=structured header/Token=] |paramKey|, perform the following steps:
    1. If |parameters| does not [=map/contain=] |paramKey|, return null.
    1. If the result of [=check if string-like=] for |parameters|[|paramKey|] is false, return null.
    1. Return the result of running [=get the string value=] for |parameters|[|paramKey|].
  </div>

    <div algorithm>
    To <dfn>obtain a boolean parameter value</dfn>, given a [=structured header/parameters|parameters map=] |parameters| and a [=structured header/Token=] |paramKey|, perform the following steps:
    1. If |parameters| does not [=map/contain=] |paramKey|, return null.
    1. If |parameters|[|paramKey|] is not a [=structured header/Boolean=], return null.
    1. Return |parameters|[|paramKey|].
  </div>

Permissions Policy Integration {#permission}
============================================

This specification defines a [=policy-controlled feature=] identified by the string "<dfn for="PermissionsPolicy">shared-storage</dfn>," along with a second [=policy-controlled feature=] identified by "<dfn for="PermissionsPolicy">shared-storage-select-url</dfn>".

"[=PermissionsPolicy/shared-storage=]" gates access to Shared Storage in general, whereas "[=shared-storage-select-url=]" adds an exra permission layer to {{SharedStorageWorklet/selectURL()}}. For each of these, the default allowlist is *.

Clear Site Data Integration {#clear}
====================================
<span class=todo>Add details for Clear Site Data integration.</span>

Privacy Considerations {#privacy}
=================================

  The Shared Storage API attempts to provide the ability to use cross-site data for a range of use cases in a way that better protects user privacy than the use of third-party cookies. Shared Storage's main privacy safeguard is that read access of the data stored in its storage may only occur within an embedder's {{SharedStorageWorklet}}. Well-defined limits restrict output of data from the {{SharedStorageWorklet}} to a minimum.

  In particular, an embedder can select a [=/URL=] from a short list of [=/URL=]s based on data in their shared storage and then display the result in a [=fenced frame=]. The embedder will not be able to know which [=/URL=] was chosen except through specifc mechanisms that will be better-mitigated in the longer term. Currently, a few bits of entropy can leak each time that the user clicks on the [=fenced frame=] to initiate a [=top-level traversable=] [=navigate|navigation=] and/or the [=fenced frame=] calls the {{reportEvent()}} API.

  An embedder is also able to send aggregatable reports via the [=Private Aggregation=] API, which adds noise in order to achieve differential privacy, uses a time delay to send reports, imposes limits on the number of reports sent, and processes the reports into aggregate data so that individual privacy is protected.