Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 1244 insertions, 0 deletions

diff --git a/toolkit/components/antitracking/StorageAccessAPIHelper.cpp b/toolkit/components/antitracking/StorageAccessAPIHelper.cpp
new file mode 100644
index 0000000000..5baa2c2557
--- /dev/null
+++ b/toolkit/components/antitracking/StorageAccessAPIHelper.cpp
@@ -0,0 +1,1244 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "AntiTrackingLog.h"
+#include "StorageAccessAPIHelper.h"
+#include "AntiTrackingUtils.h"
+#include "TemporaryAccessGrantObserver.h"
+
+#include "mozilla/Components.h"
+#include "mozilla/ContentBlockingAllowList.h"
+#include "mozilla/ContentBlockingUserInteraction.h"
+#include "mozilla/dom/BindingDeclarations.h"
+#include "mozilla/dom/BrowsingContext.h"
+#include "mozilla/dom/BrowsingContextGroup.h"
+#include "mozilla/dom/ContentChild.h"
+#include "mozilla/dom/ContentParent.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/dom/FeaturePolicy.h"
+#include "mozilla/dom/WindowContext.h"
+#include "mozilla/dom/WindowGlobalParent.h"
+#include "mozilla/net/CookieJarSettings.h"
+#include "mozilla/PermissionManager.h"
+#include "mozilla/StaticPrefs_network.h"
+#include "mozilla/StaticPrefs_privacy.h"
+#include "mozilla/Telemetry.h"
+#include "mozIThirdPartyUtil.h"
+#include "nsContentUtils.h"
+#include "nsIClassifiedChannel.h"
+#include "nsICookiePermission.h"
+#include "nsICookieService.h"
+#include "nsIPermission.h"
+#include "nsIPrincipal.h"
+#include "nsIURI.h"
+#include "nsIURIClassifier.h"
+#include "nsIUrlClassifierFeature.h"
+#include "nsIOService.h"
+#include "nsIWebProgressListener.h"
+#include "nsScriptSecurityManager.h"
+#include "StorageAccess.h"
+#include "nsStringFwd.h"
+
+namespace mozilla {
+
+LazyLogModule gAntiTrackingLog("AntiTracking");
+
+}
+
+using namespace mozilla;
+using mozilla::dom::BrowsingContext;
+using mozilla::dom::ContentChild;
+using mozilla::dom::Document;
+using mozilla::dom::WindowGlobalParent;
+using mozilla::net::CookieJarSettings;
+
+namespace {
+
+bool GetTopLevelWindowId(BrowsingContext* aParentContext, uint32_t aBehavior,
+                         uint64_t& aTopLevelInnerWindowId) {
+  MOZ_ASSERT(aParentContext);
+
+  aTopLevelInnerWindowId =
+      (aBehavior == nsICookieService::BEHAVIOR_REJECT_TRACKER)
+          ? AntiTrackingUtils::GetTopLevelStorageAreaWindowId(aParentContext)
+          : AntiTrackingUtils::GetTopLevelAntiTrackingWindowId(aParentContext);
+  return aTopLevelInnerWindowId != 0;
+}
+
+}  // namespace
+
+/* static */ RefPtr<StorageAccessAPIHelper::StorageAccessPermissionGrantPromise>
+StorageAccessAPIHelper::AllowAccessForHelper(
+    nsIPrincipal* aPrincipal, dom::BrowsingContext* aParentContext,
+    ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason,
+    nsCOMPtr<nsIPrincipal>* aTrackingPrincipal, nsACString& aTrackingOrigin,
+    uint64_t* aTopLevelWindowId, uint32_t* aBehavior) {
+  MOZ_ASSERT(aParentContext);
+  MOZ_ASSERT(aTrackingPrincipal);
+  MOZ_ASSERT(aTopLevelWindowId);
+  MOZ_ASSERT(aBehavior);
+
+  switch (aReason) {
+    case ContentBlockingNotifier::eOpener:
+      if (!StaticPrefs::privacy_antitracking_enableWebcompat() ||
+          !StaticPrefs::
+              privacy_restrict3rdpartystorage_heuristic_window_open()) {
+        LOG(
+            ("Bailing out early because the window open heuristic is disabled "
+             "by pref"));
+        return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                    __func__);
+      }
+      break;
+    case ContentBlockingNotifier::eOpenerAfterUserInteraction:
+      if (!StaticPrefs::privacy_antitracking_enableWebcompat() ||
+          !StaticPrefs::
+              privacy_restrict3rdpartystorage_heuristic_opened_window_after_interaction()) {
+        LOG(
+            ("Bailing out early because the window open after interaction "
+             "heuristic is disabled by pref"));
+        return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                    __func__);
+      }
+      break;
+    default:
+      break;
+  }
+
+  if (MOZ_LOG_TEST(gAntiTrackingLog, mozilla::LogLevel::Debug)) {
+    nsAutoCString origin;
+    aPrincipal->GetOriginNoSuffix(origin);
+    LOG(("Adding a first-party storage exception for %s, triggered by %s",
+         PromiseFlatCString(origin).get(),
+         AntiTrackingUtils::GrantedReasonToString(aReason).get()));
+  }
+
+  RefPtr<dom::WindowContext> parentWindowContext =
+      aParentContext->GetCurrentWindowContext();
+  if (!parentWindowContext) {
+    LOG(
+        ("No window context found for our parent browsing context, bailing out "
+         "early"));
+    return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                __func__);
+  }
+
+  if (parentWindowContext->GetCookieBehavior().isNothing()) {
+    LOG(
+        ("No cookie behaviour found for our parent window context, bailing "
+         "out early"));
+    return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                __func__);
+  }
+
+  // Only add storage permission when there is a reason to do so.
+  *aBehavior = *parentWindowContext->GetCookieBehavior();
+  if (!CookieJarSettings::IsRejectThirdPartyContexts(*aBehavior)) {
+    LOG(
+        ("Disabled by network.cookie.cookieBehavior pref (%d), bailing out "
+         "early",
+         *aBehavior));
+    return StorageAccessPermissionGrantPromise::CreateAndResolve(true,
+                                                                 __func__);
+  }
+
+  MOZ_ASSERT(
+      *aBehavior == nsICookieService::BEHAVIOR_REJECT_TRACKER ||
+      *aBehavior ==
+          nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN);
+
+  // No need to continue when we are already in the allow list.
+  if (parentWindowContext->GetIsOnContentBlockingAllowList()) {
+    return StorageAccessPermissionGrantPromise::CreateAndResolve(true,
+                                                                 __func__);
+  }
+
+  // Make sure storage access isn't disabled
+  if (!aParentContext->IsTopContent() &&
+      Document::StorageAccessSandboxed(aParentContext->GetSandboxFlags())) {
+    LOG(("Our document is sandboxed"));
+    return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                __func__);
+  }
+
+  bool isParentThirdParty = parentWindowContext->GetIsThirdPartyWindow();
+
+  LOG(("The current resource is %s-party",
+       isParentThirdParty ? "third" : "first"));
+
+  // We are a first party resource.
+  if (!isParentThirdParty) {
+    nsAutoCString origin;
+    nsresult rv = aPrincipal->GetOriginNoSuffix(origin);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      LOG(("Can't get the origin from the URI"));
+      return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                  __func__);
+    }
+
+    aTrackingOrigin = origin;
+    *aTrackingPrincipal = aPrincipal;
+    *aTopLevelWindowId = aParentContext->GetCurrentInnerWindowId();
+    if (NS_WARN_IF(!*aTopLevelWindowId)) {
+      LOG(("Top-level storage area window id not found, bailing out early"));
+      return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                  __func__);
+    }
+
+  } else {
+    // We should be a 3rd party source.
+    if (*aBehavior == nsICookieService::BEHAVIOR_REJECT_TRACKER &&
+        !parentWindowContext->GetIsThirdPartyTrackingResourceWindow()) {
+      LOG(("Our window isn't a third-party tracking window"));
+      return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                  __func__);
+    }
+    if (*aBehavior ==
+            nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN &&
+        !isParentThirdParty) {
+      LOG(("Our window isn't a third-party window"));
+      return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                  __func__);
+    }
+
+    if (!GetTopLevelWindowId(aParentContext,
+                             // Don't request the ETP specific behaviour of
+                             // allowing only singly-nested iframes here,
+                             // because we are recording an allow permission.
+                             nsICookieService::BEHAVIOR_ACCEPT,
+                             *aTopLevelWindowId)) {
+      LOG(("Error while retrieving the parent window id, bailing out early"));
+      return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                  __func__);
+    }
+
+    // If we can't get the principal and tracking origin at this point, the
+    // tracking principal will be gotten while running ::CompleteAllowAccessFor
+    // in the parent.
+    if (aParentContext->IsInProcess()) {
+      if (!AntiTrackingUtils::GetPrincipalAndTrackingOrigin(
+              aParentContext, getter_AddRefs(*aTrackingPrincipal),
+              aTrackingOrigin)) {
+        LOG(
+            ("Error while computing the parent principal and tracking origin, "
+             "bailing out early"));
+        return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                    __func__);
+      }
+    }
+  }
+
+  // The only case that aParentContext is not in-process is when the heuristic
+  // is triggered because of user interactions.
+  MOZ_ASSERT_IF(
+      !aParentContext->IsInProcess(),
+      aReason == ContentBlockingNotifier::eOpenerAfterUserInteraction);
+
+  return nullptr;
+}
+
+// We MAY need information that is only accessible in the parent,
+// so we need to determine whether we can run it in the current process (in
+// most of cases it should be a child process).
+//
+// We will follow below algorithm to decide if we can continue to run in
+// the current process, otherwise, we need to ask the parent to continue
+// the work.
+// 1. Check if aParentContext is an in-process browsing context. If it isn't,
+//    we cannot proceed in the content process because we need the
+//    principal of the parent window. Otherwise, we go to step 2.
+// 2. Check if the grant reason is ePrivilegeStorageAccessForOriginAPI. In
+//    this case, we don't need to check the user interaction of the tracking
+//    origin. So, we can proceed in the content process. Otherwise, go to
+//    step 3.
+// 2. tracking origin is not third-party with respect to the parent window
+//    (aParentContext). This is because we need to test whether the user
+//    has interacted with the tracking origin before, and this info is
+//    not supposed to be seen from cross-origin processes.
+
+/* static */ RefPtr<StorageAccessAPIHelper::StorageAccessPermissionGrantPromise>
+StorageAccessAPIHelper::AllowAccessForOnParentProcess(
+    nsIPrincipal* aPrincipal, dom::BrowsingContext* aParentContext,
+    ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason,
+    const StorageAccessAPIHelper::PerformPermissionGrant& aPerformFinalChecks) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  MOZ_ASSERT(aParentContext);
+
+  uint32_t behavior;
+  uint64_t topLevelWindowId;
+  nsCOMPtr<nsIPrincipal> trackingPrincipal;
+  nsAutoCString trackingOrigin;
+
+  RefPtr<StorageAccessPermissionGrantPromise> returnPromise =
+      AllowAccessForHelper(aPrincipal, aParentContext, aReason,
+                           &trackingPrincipal, trackingOrigin,
+                           &topLevelWindowId, &behavior);
+  if (returnPromise) {
+    return returnPromise;
+  }
+
+  return StorageAccessAPIHelper::CompleteAllowAccessForOnParentProcess(
+      aParentContext, topLevelWindowId, trackingPrincipal, trackingOrigin,
+      behavior, aReason, aPerformFinalChecks);
+}
+
+/* static */ RefPtr<StorageAccessAPIHelper::StorageAccessPermissionGrantPromise>
+StorageAccessAPIHelper::AllowAccessForOnChildProcess(
+    nsIPrincipal* aPrincipal, dom::BrowsingContext* aParentContext,
+    ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason,
+    const StorageAccessAPIHelper::PerformPermissionGrant& aPerformFinalChecks) {
+  MOZ_ASSERT(XRE_IsContentProcess());
+  MOZ_ASSERT(aParentContext);
+
+  uint32_t behavior;
+  uint64_t topLevelWindowId;
+  nsCOMPtr<nsIPrincipal> trackingPrincipal;
+  nsAutoCString trackingOrigin;
+
+  RefPtr<StorageAccessPermissionGrantPromise> returnPromise =
+      AllowAccessForHelper(aPrincipal, aParentContext, aReason,
+                           &trackingPrincipal, trackingOrigin,
+                           &topLevelWindowId, &behavior);
+  if (returnPromise) {
+    return returnPromise;
+  }
+
+  // We should run in the parent process when the tracking origin is
+  // third-party with respect to it's parent window. This is because we can't
+  // test if the user has interacted with the third-party origin in the child
+  // process.
+  if (aParentContext->IsInProcess()) {
+    bool isThirdParty;
+    nsCOMPtr<nsIPrincipal> principal =
+        AntiTrackingUtils::GetPrincipal(aParentContext);
+    if (!principal) {
+      LOG(("Can't get the principal from the browsing context"));
+      return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                  __func__);
+    }
+    Unused << trackingPrincipal->IsThirdPartyPrincipal(principal,
+                                                       &isThirdParty);
+    if (aReason ==
+            ContentBlockingNotifier::ePrivilegeStorageAccessForOriginAPI ||
+        !isThirdParty) {
+      return StorageAccessAPIHelper::CompleteAllowAccessForOnChildProcess(
+          aParentContext, topLevelWindowId, trackingPrincipal, trackingOrigin,
+          behavior, aReason, aPerformFinalChecks);
+    }
+  }
+
+  // Only support PerformPermissionGrant when we run ::CompleteAllowAccessFor in
+  // the same process. This callback is only used by eStorageAccessAPI,
+  // which is always runned in the same process.
+  MOZ_ASSERT(!aPerformFinalChecks);
+
+  ContentChild* cc = ContentChild::GetSingleton();
+  MOZ_ASSERT(cc);
+
+  RefPtr<BrowsingContext> bc = aParentContext;
+  return cc
+      ->SendCompleteAllowAccessFor(aParentContext, topLevelWindowId,
+                                   trackingPrincipal, trackingOrigin, behavior,
+                                   aReason)
+      ->Then(GetCurrentSerialEventTarget(), __func__,
+             [bc, trackingOrigin, behavior,
+              aReason](const ContentChild::CompleteAllowAccessForPromise::
+                           ResolveOrRejectValue& aValue) {
+               if (aValue.IsResolve() && aValue.ResolveValue().isSome()) {
+                 // we don't call OnAllowAccessFor in the parent when this is
+                 // triggered by the opener heuristic, so we have to do it here.
+                 // See storePermission below for the reason.
+                 if (aReason == ContentBlockingNotifier::eOpener &&
+                     !bc->IsDiscarded()) {
+                   MOZ_ASSERT(bc->IsInProcess());
+                   StorageAccessAPIHelper::OnAllowAccessFor(bc, trackingOrigin,
+                                                            behavior, aReason);
+                 }
+                 return StorageAccessPermissionGrantPromise::CreateAndResolve(
+                     aValue.ResolveValue().value(), __func__);
+               }
+               return StorageAccessPermissionGrantPromise::CreateAndReject(
+                   false, __func__);
+             });
+}
+
+// CompleteAllowAccessFor is used to process the remaining work in
+// AllowAccessFor that may need to access information not accessible
+// in the current process.
+// This API supports running running in the child process and the
+// parent process. When running in the child, aParentContext must be in-process.
+//
+// Here lists the possible cases based on our heuristics:
+// 1. eStorageAccessAPI
+//    aParentContext is the browsing context of the document that calls this
+//    API, so it is always in-process. Since the tracking origin is the
+//    document's origin, it's same-origin to the parent window.
+//    CompleteAllowAccessFor runs in the same process as AllowAccessFor.
+//
+// 2. eOpener
+//    aParentContext is the browsing context of the opener that calls this
+//    API, so it is always in-process. However, when the opener is a first
+//    party and it opens a third-party window, the tracking origin is
+//    origin of the third-party window. In this case, we should
+//    run this API in the parent, as for the other cases, we can run in the
+//    same process.
+//
+// 3. eOpenerAfterUserInteraction
+//    aParentContext is the browsing context of the opener window, but
+//    AllowAccessFor is called by the opened window. So as long as
+//    aParentContext is not in-process, we should run in the parent.
+//
+// 4. ePrivilegeStorageAccessForOriginAPI
+//    aParentContext is the browsing context of the top window which calls the
+//    privilege API. So, it is always in-process. And we don't need to check the
+//    user interaction permission for the tracking origin in this case. We can
+//    run in the same process.
+/* static */ RefPtr<StorageAccessAPIHelper::StorageAccessPermissionGrantPromise>
+StorageAccessAPIHelper::CompleteAllowAccessForOnParentProcess(
+    dom::BrowsingContext* aParentContext, uint64_t aTopLevelWindowId,
+    nsIPrincipal* aTrackingPrincipal, const nsACString& aTrackingOrigin,
+    uint32_t aCookieBehavior,
+    ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason,
+    const PerformPermissionGrant& aPerformFinalChecks) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  MOZ_ASSERT(aParentContext);
+
+  nsCOMPtr<nsIPrincipal> trackingPrincipal;
+  nsAutoCString trackingOrigin;
+  if (!aTrackingPrincipal) {
+    // User interaction is the only case that tracking principal is not
+    // available.
+    MOZ_ASSERT(aReason == ContentBlockingNotifier::eOpenerAfterUserInteraction);
+
+    if (!AntiTrackingUtils::GetPrincipalAndTrackingOrigin(
+            aParentContext, getter_AddRefs(trackingPrincipal),
+            trackingOrigin)) {
+      LOG(
+          ("Error while computing the parent principal and tracking origin, "
+           "bailing out early"));
+      return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                  __func__);
+    }
+  } else {
+    trackingPrincipal = aTrackingPrincipal;
+    trackingOrigin = aTrackingOrigin;
+  }
+
+  LOG(("Tracking origin is %s", PromiseFlatCString(trackingOrigin).get()));
+
+  // We hardcode this block reason since the first-party storage access
+  // permission is granted for the purpose of blocking trackers.
+  // Note that if aReason is eOpenerAfterUserInteraction and the
+  // trackingPrincipal is not in a blocklist, we don't check the
+  // user-interaction state, because it could be that the current process has
+  // just sent the request to store the user-interaction permission into the
+  // parent, without having received the permission itself yet.
+  //
+  // For ePrivilegeStorageAccessForOriginAPI, we explicitly don't check the user
+  // interaction for the tracking origin.
+
+  bool isInPrefList = false;
+  trackingPrincipal->IsURIInPrefList(
+      "privacy.restrict3rdpartystorage."
+      "userInteractionRequiredForHosts",
+      &isInPrefList);
+  if (aReason != ContentBlockingNotifier::ePrivilegeStorageAccessForOriginAPI &&
+      isInPrefList &&
+      !ContentBlockingUserInteraction::Exists(trackingPrincipal)) {
+    LOG_PRIN(("Tracking principal (%s) hasn't been interacted with before, "
+              "refusing to add a first-party storage permission to access it",
+              _spec),
+             trackingPrincipal);
+    ContentBlockingNotifier::OnDecision(
+        aParentContext, ContentBlockingNotifier::BlockingDecision::eBlock,
+        nsIWebProgressListener::STATE_COOKIES_BLOCKED_TRACKER);
+    return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                __func__);
+  }
+
+  // Ensure we can find the window before continuing, so we can safely
+  // execute storePermission.
+  if (aParentContext->IsInProcess() &&
+      (!aParentContext->GetDOMWindow() ||
+       !aParentContext->GetDOMWindow()->GetCurrentInnerWindow())) {
+    LOG(
+        ("No window found for our parent browsing context, bailing out "
+         "early"));
+    return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                __func__);
+  }
+
+  auto storePermission =
+      [aParentContext, aTopLevelWindowId, trackingOrigin, trackingPrincipal,
+       aCookieBehavior,
+       aReason](int aAllowMode) -> RefPtr<StorageAccessPermissionGrantPromise> {
+    MOZ_ASSERT(!aParentContext->IsInProcess());
+    // We don't have the window, send an IPC to the content process that
+    // owns the parent window. But there is a special case, for window.open,
+    // we'll return to the content process we need to inform when this
+    // function is done. So we don't need to create an extra IPC for the case.
+    if (aReason != ContentBlockingNotifier::eOpener) {
+      dom::ContentParent* cp = aParentContext->Canonical()->GetContentParent();
+      Unused << cp->SendOnAllowAccessFor(aParentContext, trackingOrigin,
+                                         aCookieBehavior, aReason);
+    }
+
+    Maybe<ContentBlockingNotifier::StorageAccessPermissionGrantedReason>
+        reportReason;
+    // We can directly report here if we can know the origin of the top.
+    ContentBlockingNotifier::ReportUnblockingToConsole(
+        aParentContext, NS_ConvertUTF8toUTF16(trackingOrigin), aReason);
+    // Set the report reason to nothing if we've already reported.
+    reportReason = Nothing();
+
+    LOG(("Saving the permission: trackingOrigin=%s", trackingOrigin.get()));
+    bool frameOnly = StaticPrefs::dom_storage_access_frame_only() &&
+                     aReason == ContentBlockingNotifier::eStorageAccessAPI;
+    return SaveAccessForOriginOnParentProcess(aTopLevelWindowId, aParentContext,
+                                              trackingPrincipal, aAllowMode,
+                                              frameOnly)
+        ->Then(GetCurrentSerialEventTarget(), __func__,
+               [aReason, trackingPrincipal](
+                   ParentAccessGrantPromise::ResolveOrRejectValue&& aValue) {
+                 if (!aValue.IsResolve()) {
+                   return StorageAccessPermissionGrantPromise::CreateAndReject(
+                       false, __func__);
+                 }
+                 // We only wish to observe user interaction in the case of a
+                 // "normal" requestStorageAccess grant. We do not observe user
+                 // interaction where the priveledged API is used. Acquiring
+                 // the storageAccessAPI permission for the first time will only
+                 // occur through the clicking accept on the doorhanger.
+                 if (aReason == ContentBlockingNotifier::eStorageAccessAPI) {
+                   ContentBlockingUserInteraction::Observe(trackingPrincipal);
+                 }
+                 return StorageAccessPermissionGrantPromise::CreateAndResolve(
+                     StorageAccessAPIHelper::eAllow, __func__);
+               });
+  };
+
+  if (aPerformFinalChecks) {
+    return aPerformFinalChecks()->Then(
+        GetCurrentSerialEventTarget(), __func__,
+        [storePermission](
+            StorageAccessPermissionGrantPromise::ResolveOrRejectValue&&
+                aValue) {
+          if (aValue.IsResolve()) {
+            return storePermission(aValue.ResolveValue());
+          }
+          return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                      __func__);
+        });
+  }
+  return storePermission(false);
+}
+
+/* static */ RefPtr<StorageAccessAPIHelper::StorageAccessPermissionGrantPromise>
+StorageAccessAPIHelper::CompleteAllowAccessForOnChildProcess(
+    dom::BrowsingContext* aParentContext, uint64_t aTopLevelWindowId,
+    nsIPrincipal* aTrackingPrincipal, const nsACString& aTrackingOrigin,
+    uint32_t aCookieBehavior,
+    ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason,
+    const PerformPermissionGrant& aPerformFinalChecks) {
+  MOZ_ASSERT_IF(XRE_IsContentProcess(), aParentContext->IsInProcess());
+  MOZ_ASSERT(XRE_IsContentProcess());
+  MOZ_ASSERT(aParentContext);
+  MOZ_ASSERT(aTrackingPrincipal);
+
+  nsCOMPtr<nsIPrincipal> trackingPrincipal;
+  nsAutoCString trackingOrigin;
+  trackingOrigin = aTrackingOrigin;
+  trackingPrincipal = aTrackingPrincipal;
+
+  LOG(("Tracking origin is %s", PromiseFlatCString(trackingOrigin).get()));
+
+  // We hardcode this block reason since the first-party storage access
+  // permission is granted for the purpose of blocking trackers.
+  // Note that if aReason is eOpenerAfterUserInteraction and the
+  // trackingPrincipal is not in a blocklist, we don't check the
+  // user-interaction state, because it could be that the current process has
+  // just sent the request to store the user-interaction permission into the
+  // parent, without having received the permission itself yet.
+  //
+  // For ePrivilegeStorageAccessForOriginAPI, we explicitly don't check the user
+  // interaction for the tracking origin.
+
+  bool isInPrefList = false;
+  aTrackingPrincipal->IsURIInPrefList(
+      "privacy.restrict3rdpartystorage."
+      "userInteractionRequiredForHosts",
+      &isInPrefList);
+  if (aReason != ContentBlockingNotifier::ePrivilegeStorageAccessForOriginAPI &&
+      isInPrefList &&
+      !ContentBlockingUserInteraction::Exists(aTrackingPrincipal)) {
+    LOG_PRIN(("Tracking principal (%s) hasn't been interacted with before, "
+              "refusing to add a first-party storage permission to access it",
+              _spec),
+             aTrackingPrincipal);
+    ContentBlockingNotifier::OnDecision(
+        aParentContext, ContentBlockingNotifier::BlockingDecision::eBlock,
+        nsIWebProgressListener::STATE_COOKIES_BLOCKED_TRACKER);
+    return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                __func__);
+  }
+
+  // Ensure we can find the window before continuing, so we can safely
+  // execute storePermission.
+  if (aParentContext->IsInProcess() &&
+      (!aParentContext->GetDOMWindow() ||
+       !aParentContext->GetDOMWindow()->GetCurrentInnerWindow())) {
+    LOG(
+        ("No window found for our parent browsing context, bailing out "
+         "early"));
+    return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                __func__);
+  }
+
+  auto storePermission =
+      [aParentContext, aTopLevelWindowId, trackingOrigin, trackingPrincipal,
+       aCookieBehavior,
+       aReason](int aAllowMode) -> RefPtr<StorageAccessPermissionGrantPromise> {
+    // Inform the window we granted permission for. This has to be done in the
+    // window's process. As a child this is always the case.
+    StorageAccessAPIHelper::OnAllowAccessFor(aParentContext, trackingOrigin,
+                                             aCookieBehavior, aReason);
+
+    Maybe<ContentBlockingNotifier::StorageAccessPermissionGrantedReason>
+        reportReason;
+    // We can directly report here if we can know the origin of the top.
+    if (aParentContext->Top()->IsInProcess()) {
+      ContentBlockingNotifier::ReportUnblockingToConsole(
+          aParentContext, NS_ConvertUTF8toUTF16(trackingOrigin), aReason);
+
+      // Set the report reason to nothing if we've already reported.
+      reportReason = Nothing();
+    } else {
+      // Set the report reason, so that we can know the reason when reporting
+      // in the parent.
+      reportReason.emplace(aReason);
+    }
+
+    ContentChild* cc = ContentChild::GetSingleton();
+    MOZ_ASSERT(cc);
+
+    LOG(
+        ("Asking the parent process to save the permission for us: "
+         "trackingOrigin=%s",
+         trackingOrigin.get()));
+
+    // This is not really secure, because here we have the content process
+    // sending the request of storing a permission.
+    bool frameOnly = StaticPrefs::dom_storage_access_frame_only() &&
+                     aReason == ContentBlockingNotifier::eStorageAccessAPI;
+    return cc
+        ->SendStorageAccessPermissionGrantedForOrigin(
+            aTopLevelWindowId, aParentContext, trackingPrincipal,
+            trackingOrigin, aAllowMode, reportReason, frameOnly)
+        ->Then(
+            GetCurrentSerialEventTarget(), __func__,
+            [aReason, trackingPrincipal](
+                const ContentChild::
+                    StorageAccessPermissionGrantedForOriginPromise::
+                        ResolveOrRejectValue& aValue) {
+              if (aValue.IsResolve()) {
+                if (aValue.ResolveValue() &&
+                    (aReason == ContentBlockingNotifier::eStorageAccessAPI)) {
+                  ContentBlockingUserInteraction::Observe(trackingPrincipal);
+                }
+                return StorageAccessPermissionGrantPromise::CreateAndResolve(
+                    aValue.ResolveValue(), __func__);
+              }
+              return StorageAccessPermissionGrantPromise::CreateAndReject(
+                  false, __func__);
+            });
+  };
+
+  if (aPerformFinalChecks) {
+    return aPerformFinalChecks()->Then(
+        GetCurrentSerialEventTarget(), __func__,
+        [storePermission](
+            StorageAccessPermissionGrantPromise::ResolveOrRejectValue&&
+                aValue) {
+          if (aValue.IsResolve()) {
+            return storePermission(aValue.ResolveValue());
+          }
+          return StorageAccessPermissionGrantPromise::CreateAndReject(false,
+                                                                      __func__);
+        });
+  }
+  return storePermission(false);
+}
+
+/* static */ void StorageAccessAPIHelper::OnAllowAccessFor(
+    dom::BrowsingContext* aParentContext, const nsACString& aTrackingOrigin,
+    uint32_t aCookieBehavior,
+    ContentBlockingNotifier::StorageAccessPermissionGrantedReason aReason) {
+  MOZ_ASSERT(aParentContext->IsInProcess());
+
+  // Let's inform the parent window and the other windows having the
+  // same tracking origin about the storage permission is granted
+  // if it is not a frame-only permission grant which does not propogate.
+  if (aReason != ContentBlockingNotifier::StorageAccessPermissionGrantedReason::
+                     eStorageAccessAPI ||
+      !StaticPrefs::dom_storage_access_frame_only()) {
+    StorageAccessAPIHelper::UpdateAllowAccessOnCurrentProcess(aParentContext,
+                                                              aTrackingOrigin);
+  }
+
+  // Let's inform the parent window.
+  nsCOMPtr<nsPIDOMWindowInner> parentInner =
+      AntiTrackingUtils::GetInnerWindow(aParentContext);
+  if (NS_WARN_IF(!parentInner)) {
+    return;
+  }
+
+  Document* doc = parentInner->GetExtantDoc();
+  if (NS_WARN_IF(!doc)) {
+    return;
+  }
+
+  if (!doc->GetChannel()) {
+    return;
+  }
+
+  Telemetry::AccumulateCategorical(
+      Telemetry::LABELS_STORAGE_ACCESS_GRANTED_COUNT::StorageGranted);
+
+  switch (aReason) {
+    case ContentBlockingNotifier::StorageAccessPermissionGrantedReason::
+        eStorageAccessAPI:
+      Telemetry::AccumulateCategorical(
+          Telemetry::LABELS_STORAGE_ACCESS_GRANTED_COUNT::StorageAccessAPI);
+      break;
+    case ContentBlockingNotifier::StorageAccessPermissionGrantedReason::
+        eOpenerAfterUserInteraction:
+      Telemetry::AccumulateCategorical(
+          Telemetry::LABELS_STORAGE_ACCESS_GRANTED_COUNT::OpenerAfterUI);
+      break;
+    case ContentBlockingNotifier::StorageAccessPermissionGrantedReason::eOpener:
+      Telemetry::AccumulateCategorical(
+          Telemetry::LABELS_STORAGE_ACCESS_GRANTED_COUNT::Opener);
+      break;
+    default:
+      break;
+  }
+
+  // Theoratically this can be done in the parent process. But right now,
+  // we need the channel while notifying content blocking events, and
+  // we don't have a trivial way to obtain the channel in the parent
+  // via BrowsingContext. So we just ask the child to do the work.
+  ContentBlockingNotifier::OnEvent(
+      doc->GetChannel(), false,
+      nsIWebProgressListener::STATE_COOKIES_BLOCKED_TRACKER, aTrackingOrigin,
+      Some(aReason));
+}
+
+/* static */
+RefPtr<mozilla::StorageAccessAPIHelper::ParentAccessGrantPromise>
+StorageAccessAPIHelper::SaveAccessForOriginOnParentProcess(
+    uint64_t aTopLevelWindowId, BrowsingContext* aParentContext,
+    nsIPrincipal* aTrackingPrincipal, int aAllowMode, bool aFrameOnly,
+    uint64_t aExpirationTime) {
+  MOZ_ASSERT(aTopLevelWindowId != 0);
+  MOZ_ASSERT(aTrackingPrincipal);
+
+  if (!aTrackingPrincipal || aTrackingPrincipal->IsSystemPrincipal() ||
+      aTrackingPrincipal->GetIsNullPrincipal() ||
+      aTrackingPrincipal->GetIsExpandedPrincipal()) {
+    LOG(("aTrackingPrincipal is of invalid principal type"));
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  }
+
+  nsAutoCString trackingOrigin;
+  nsresult rv = aTrackingPrincipal->GetOriginNoSuffix(trackingOrigin);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  }
+
+  RefPtr<WindowGlobalParent> wgp =
+      WindowGlobalParent::GetByInnerWindowId(aTopLevelWindowId);
+  if (!wgp) {
+    LOG(("Can't get window global parent"));
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  }
+
+  // If the permission is granted on a first-party window, also have to update
+  // the permission to all the other windows with the same tracking origin (in
+  // the same tab), if any, only it is not a frame-only permission grant which
+  // does not propogate.
+  if (!aFrameOnly) {
+    StorageAccessAPIHelper::UpdateAllowAccessOnParentProcess(aParentContext,
+                                                             trackingOrigin);
+  }
+
+  return StorageAccessAPIHelper::SaveAccessForOriginOnParentProcess(
+      wgp->DocumentPrincipal(), aTrackingPrincipal, aAllowMode, aFrameOnly,
+      aExpirationTime);
+}
+
+/* static */
+RefPtr<mozilla::StorageAccessAPIHelper::ParentAccessGrantPromise>
+StorageAccessAPIHelper::SaveAccessForOriginOnParentProcess(
+    nsIPrincipal* aParentPrincipal, nsIPrincipal* aTrackingPrincipal,
+    int aAllowMode, bool aFrameOnly, uint64_t aExpirationTime) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  MOZ_ASSERT(aAllowMode == eAllow || aAllowMode == eAllowAutoGrant);
+
+  if (!aParentPrincipal || !aTrackingPrincipal) {
+    LOG(("Invalid input arguments passed"));
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  };
+
+  if (aTrackingPrincipal->IsSystemPrincipal() ||
+      aTrackingPrincipal->GetIsNullPrincipal() ||
+      aTrackingPrincipal->GetIsExpandedPrincipal()) {
+    LOG(("aTrackingPrincipal is of invalid principal type"));
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  }
+
+  nsAutoCString trackingOrigin;
+  nsresult rv = aTrackingPrincipal->GetOriginNoSuffix(trackingOrigin);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  }
+
+  LOG_PRIN(("Saving a first-party storage permission on %s for "
+            "trackingOrigin=%s",
+            _spec, trackingOrigin.get()),
+           aParentPrincipal);
+
+  if (NS_WARN_IF(!aParentPrincipal)) {
+    // The child process is sending something wrong. Let's ignore it.
+    LOG(("aParentPrincipal is null, bailing out early"));
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  }
+
+  PermissionManager* permManager = PermissionManager::GetInstance();
+  if (NS_WARN_IF(!permManager)) {
+    LOG(("Permission manager is null, bailing out early"));
+    return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+  }
+
+  // Remember that this pref is stored in seconds!
+  uint32_t expirationType = nsIPermissionManager::EXPIRE_TIME;
+  uint32_t expirationTime = aExpirationTime * 1000;
+  int64_t when = (PR_Now() / PR_USEC_PER_MSEC) + expirationTime;
+
+  uint32_t privateBrowsingId = 0;
+  rv = aParentPrincipal->GetPrivateBrowsingId(&privateBrowsingId);
+  if ((!NS_WARN_IF(NS_FAILED(rv)) && privateBrowsingId > 0) ||
+      (aAllowMode == eAllowAutoGrant)) {
+    // If we are coming from a private window or are automatically granting a
+    // permission, make sure to store a session-only permission which won't
+    // get persisted to disk.
+    expirationType = nsIPermissionManager::EXPIRE_SESSION;
+    when = 0;
+  }
+
+  nsAutoCString type;
+  if (aFrameOnly) {
+    bool success = AntiTrackingUtils::CreateStorageFramePermissionKey(
+        aTrackingPrincipal, type);
+    if (NS_WARN_IF(!success)) {
+      return ParentAccessGrantPromise::CreateAndReject(false, __func__);
+    }
+  } else {
+    AntiTrackingUtils::CreateStoragePermissionKey(trackingOrigin, type);
+  }
+
+  LOG(
+      ("Computed permission key: %s, expiry: %u, proceeding to save in the "
+       "permission manager",
+       type.get(), expirationTime));
+
+  rv = permManager->AddFromPrincipal(aParentPrincipal, type,
+                                     nsIPermissionManager::ALLOW_ACTION,
+                                     expirationType, when);
+  Unused << NS_WARN_IF(NS_FAILED(rv));
+
+  if (StaticPrefs::privacy_antitracking_testing()) {
+    nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+    obs->NotifyObservers(nullptr, "antitracking-test-storage-access-perm-added",
+                         nullptr);
+  }
+
+  if (NS_SUCCEEDED(rv) && (aAllowMode == eAllowAutoGrant)) {
+    // Make sure temporary access grants do not survive more than 24 hours.
+    TemporaryAccessGrantObserver::Create(permManager, aParentPrincipal, type);
+  }
+
+  LOG(("Result: %s", NS_SUCCEEDED(rv) ? "success" : "failure"));
+  return ParentAccessGrantPromise::CreateAndResolve(rv, __func__);
+}
+
+// static
+Maybe<bool>
+StorageAccessAPIHelper::CheckCookiesPermittedDecidesStorageAccessAPI(
+    nsICookieJarSettings* aCookieJarSettings,
+    nsIPrincipal* aRequestingPrincipal) {
+  MOZ_ASSERT(aCookieJarSettings);
+  MOZ_ASSERT(aRequestingPrincipal);
+  uint32_t cookiePermission = detail::CheckCookiePermissionForPrincipal(
+      aCookieJarSettings, aRequestingPrincipal);
+  if (cookiePermission == nsICookiePermission::ACCESS_ALLOW ||
+      cookiePermission == nsICookiePermission::ACCESS_SESSION) {
+    return Some(true);
+  }
+
+  if (cookiePermission == nsICookiePermission::ACCESS_DENY) {
+    return Some(false);
+  }
+
+  if (ContentBlockingAllowList::Check(aCookieJarSettings)) {
+    return Some(true);
+  }
+  return Nothing();
+}
+
+/* static */ RefPtr<MozPromise<Maybe<bool>, nsresult, true>>
+StorageAccessAPIHelper::
+    AsyncCheckCookiesPermittedDecidesStorageAccessAPIOnChildProcess(
+        dom::BrowsingContext* aBrowsingContext,
+        nsIPrincipal* aRequestingPrincipal) {
+  MOZ_ASSERT(XRE_IsContentProcess());
+
+  ContentChild* cc = ContentChild::GetSingleton();
+  MOZ_ASSERT(cc);
+
+  return cc
+      ->SendTestCookiePermissionDecided(aBrowsingContext, aRequestingPrincipal)
+      ->Then(
+          GetCurrentSerialEventTarget(), __func__,
+          [](const ContentChild::TestCookiePermissionDecidedPromise::
+                 ResolveOrRejectValue& aPromise) {
+            if (aPromise.IsResolve()) {
+              return MozPromise<Maybe<bool>, nsresult, true>::CreateAndResolve(
+                  aPromise.ResolveValue(), __func__);
+            }
+            return MozPromise<Maybe<bool>, nsresult, true>::CreateAndReject(
+                NS_ERROR_UNEXPECTED, __func__);
+          });
+}
+
+// static
+Maybe<bool> StorageAccessAPIHelper::CheckBrowserSettingsDecidesStorageAccessAPI(
+    nsICookieJarSettings* aCookieJarSettings, bool aThirdParty,
+    bool aIsOnThirdPartySkipList, bool aIsThirdPartyTracker) {
+  MOZ_ASSERT(aCookieJarSettings);
+  uint32_t behavior = aCookieJarSettings->GetCookieBehavior();
+  switch (behavior) {
+    case nsICookieService::BEHAVIOR_ACCEPT:
+      return Some(true);
+    case nsICookieService::BEHAVIOR_REJECT_FOREIGN:
+      if (!aThirdParty) {
+        return Some(true);
+      }
+      return Some(false);
+    case nsICookieService::BEHAVIOR_REJECT:
+      return Some(false);
+    case nsICookieService::BEHAVIOR_LIMIT_FOREIGN:
+      if (!aThirdParty) {
+        return Some(true);
+      }
+      return Some(false);
+    case nsICookieService::BEHAVIOR_REJECT_TRACKER:
+      if (!aIsThirdPartyTracker) {
+        return Some(true);
+      }
+      if (aIsOnThirdPartySkipList) {
+        return Some(true);
+      }
+      return Nothing();
+    case nsICookieService::BEHAVIOR_REJECT_TRACKER_AND_PARTITION_FOREIGN:
+      if (aIsOnThirdPartySkipList) {
+        return Some(true);
+      }
+      return Nothing();
+    default:
+      MOZ_ASSERT_UNREACHABLE("Must not have undefined cookie behavior");
+  }
+  MOZ_ASSERT_UNREACHABLE("Must not have undefined cookie behavior");
+  return Nothing();
+}
+
+// static
+Maybe<bool> StorageAccessAPIHelper::CheckCallingContextDecidesStorageAccessAPI(
+    Document* aDocument, bool aRequestingStorageAccess) {
+  MOZ_ASSERT(aDocument);
+
+  if (!aDocument->IsCurrentActiveDocument()) {
+    return Some(false);
+  }
+
+  if (aRequestingStorageAccess) {
+    // Perform a Permission Policy Request
+    dom::FeaturePolicy* policy = aDocument->FeaturePolicy();
+    MOZ_ASSERT(policy);
+
+    if (!policy->AllowsFeature(u"storage-access"_ns,
+                               dom::Optional<nsAString>())) {
+      nsContentUtils::ReportToConsole(
+          nsIScriptError::errorFlag, nsLiteralCString("requestStorageAccess"),
+          aDocument, nsContentUtils::eDOM_PROPERTIES,
+          "RequestStorageAccessPermissionsPolicy");
+      return Some(false);
+    }
+  }
+
+  RefPtr<BrowsingContext> bc = aDocument->GetBrowsingContext();
+  if (!bc) {
+    return Some(false);
+  }
+
+  // Check if NodePrincipal is not null
+  if (!aDocument->NodePrincipal()) {
+    return Some(false);
+  }
+
+  // If the document doesn't have a secure context, reject. The Static Pref is
+  // used to pass existing tests that do not fulfil this check.
+  if (StaticPrefs::dom_storage_access_dont_grant_insecure_contexts() &&
+      !aDocument->NodePrincipal()->GetIsOriginPotentiallyTrustworthy()) {
+    // Report the error to the console if we are requesting access
+    if (aRequestingStorageAccess) {
+      nsContentUtils::ReportToConsole(
+          nsIScriptError::errorFlag, nsLiteralCString("requestStorageAccess"),
+          aDocument, nsContentUtils::eDOM_PROPERTIES,
+          "RequestStorageAccessNotSecureContext");
+    }
+    return Some(false);
+  }
+
+  // If the document has a null origin, reject.
+  if (aDocument->NodePrincipal()->GetIsNullPrincipal()) {
+    // Report an error to the console for this case if we are requesting access
+    if (aRequestingStorageAccess) {
+      nsContentUtils::ReportToConsole(
+          nsIScriptError::errorFlag, nsLiteralCString("requestStorageAccess"),
+          aDocument, nsContentUtils::eDOM_PROPERTIES,
+          "RequestStorageAccessNullPrincipal");
+    }
+    return Some(false);
+  }
+
+  if (!AntiTrackingUtils::IsThirdPartyDocument(aDocument)) {
+    return Some(true);
+  }
+
+  if (aDocument->IsTopLevelContentDocument()) {
+    return Some(true);
+  }
+
+  if (aRequestingStorageAccess) {
+    if (aDocument->StorageAccessSandboxed()) {
+      nsContentUtils::ReportToConsole(
+          nsIScriptError::errorFlag, nsLiteralCString("requestStorageAccess"),
+          aDocument, nsContentUtils::eDOM_PROPERTIES,
+          "RequestStorageAccessSandboxed");
+      return Some(false);
+    }
+  }
+  return Nothing();
+}
+
+// static
+Maybe<bool>
+StorageAccessAPIHelper::CheckSameSiteCallingContextDecidesStorageAccessAPI(
+    dom::Document* aDocument, bool aRequireUserActivation) {
+  MOZ_ASSERT(aDocument);
+  if (aRequireUserActivation) {
+    if (!aDocument->HasValidTransientUserGestureActivation()) {
+      // Report an error to the console for this case
+      nsContentUtils::ReportToConsole(
+          nsIScriptError::errorFlag, nsLiteralCString("requestStorageAccess"),
+          aDocument, nsContentUtils::eDOM_PROPERTIES,
+          "RequestStorageAccessUserGesture");
+      return Some(false);
+    }
+  }
+
+  nsIChannel* chan = aDocument->GetChannel();
+  if (!chan) {
+    return Some(false);
+  }
+  nsCOMPtr<nsILoadInfo> loadInfo = chan->LoadInfo();
+  if (loadInfo->GetIsThirdPartyContextToTopWindow()) {
+    return Some(false);
+  }
+
+  // If the document has a null origin, reject.
+  if (aDocument->NodePrincipal()->GetIsNullPrincipal()) {
+    // Report an error to the console for this case
+    nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
+                                    nsLiteralCString("requestStorageAccess"),
+                                    aDocument, nsContentUtils::eDOM_PROPERTIES,
+                                    "RequestStorageAccessNullPrincipal");
+    return Some(false);
+  }
+  return Maybe<bool>();
+}
+
+// static
+Maybe<bool>
+StorageAccessAPIHelper::CheckExistingPermissionDecidesStorageAccessAPI(
+    dom::Document* aDocument, bool aRequestingStorageAccess) {
+  MOZ_ASSERT(aDocument);
+  if (aDocument->StorageAccessSandboxed()) {
+    if (aRequestingStorageAccess) {
+      nsContentUtils::ReportToConsole(
+          nsIScriptError::errorFlag, nsLiteralCString("requestStorageAccess"),
+          aDocument, nsContentUtils::eDOM_PROPERTIES,
+          "RequestStorageAccessSandboxed");
+    }
+    return Some(false);
+  }
+  if (aDocument->UsingStorageAccess()) {
+    return Some(true);
+  }
+  return Nothing();
+}
+
+// static
+RefPtr<StorageAccessAPIHelper::StorageAccessPermissionGrantPromise>
+StorageAccessAPIHelper::RequestStorageAccessAsyncHelper(
+    dom::Document* aDocument, nsPIDOMWindowInner* aInnerWindow,
+    dom::BrowsingContext* aBrowsingContext, nsIPrincipal* aPrincipal,
+    bool aHasUserInteraction, bool aRequireUserInteraction, bool aFrameOnly,
+    ContentBlockingNotifier::StorageAccessPermissionGrantedReason aNotifier,
+    bool aRequireGrant) {
+  MOZ_ASSERT(aDocument);
+  MOZ_ASSERT(XRE_IsContentProcess());
+
+  if (!aRequireGrant) {
+    // Try to allow access for the given principal.
+    return StorageAccessAPIHelper::AllowAccessForOnChildProcess(
+        aPrincipal, aBrowsingContext, aNotifier);
+  }
+
+  RefPtr<nsIPrincipal> principal(aPrincipal);
+
+  // This is a lambda function that has some variables bound to it. It will be
+  // called later in CompleteAllowAccessFor inside of AllowAccessFor.
+  auto performPermissionGrant = aDocument->CreatePermissionGrantPromise(
+      aInnerWindow, principal, aHasUserInteraction, aRequireUserInteraction,
+      Nothing(), aFrameOnly);
+
+  // Try to allow access for the given principal.
+  return StorageAccessAPIHelper::AllowAccessForOnChildProcess(
+      principal, aBrowsingContext, aNotifier, performPermissionGrant);
+}
+
+// There are two methods to handle permission update:
+// 1. UpdateAllowAccessOnCurrentProcess
+// 2. UpdateAllowAccessOnParentProcess
+//
+// In general, UpdateAllowAccessOnCurrentProcess is used to propagate storage
+// permission to same-origin frames in the same tab.
+// UpdateAllowAccessOnParentProcess is used to propagate storage permission to
+// same-origin frames in the same agent cluster.
+//
+// However, there is an exception in fission mode. When the heuristic is
+// triggered by a first-party window, for instance, a first-party script calls
+// window.open(tracker), we can't update 3rd-party frames's storage permission
+// in the child process that triggers the permission update because the
+// first-party and the 3rd-party are not in the same process. In this case, we
+// should update the storage permission in UpdateAllowAccessOnParentProcess.
+
+// This function is used to update permission to all in-process windows, so it
+// can be called either from the parent or the child.
+/* static */
+void StorageAccessAPIHelper::UpdateAllowAccessOnCurrentProcess(
+    BrowsingContext* aParentContext, const nsACString& aTrackingOrigin) {
+  MOZ_ASSERT(aParentContext && aParentContext->IsInProcess());
+
+  bool useRemoteSubframes;
+  aParentContext->GetUseRemoteSubframes(&useRemoteSubframes);
+
+  if (useRemoteSubframes && aParentContext->IsTopContent()) {
+    // If we are a first-party and we are in fission mode, bail out early
+    // because we can't do anything here.
+    return;
+  }
+
+  BrowsingContext* top = aParentContext->Top();
+
+  // Propagate the storage permission to same-origin frames in the same tab.
+  top->PreOrderWalk([&](BrowsingContext* aContext) {
+    // Only check browsing contexts that are in-process.
+    if (aContext->IsInProcess()) {
+      nsAutoCString origin;
+      Unused << AntiTrackingUtils::GetPrincipalAndTrackingOrigin(
+          aContext, nullptr, origin);
+
+      if (aTrackingOrigin == origin) {
+        nsCOMPtr<nsPIDOMWindowInner> inner =
+            AntiTrackingUtils::GetInnerWindow(aContext);
+        if (inner) {
+          inner->SaveStorageAccessPermissionGranted();
+        }
+      }
+    }
+  });
+}
+
+/* static */
+void StorageAccessAPIHelper::UpdateAllowAccessOnParentProcess(
+    BrowsingContext* aParentContext, const nsACString& aTrackingOrigin) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  nsAutoCString topKey;
+  nsCOMPtr<nsIPrincipal> topPrincipal =
+      AntiTrackingUtils::GetPrincipal(aParentContext->Top());
+  PermissionManager::GetKeyForPrincipal(topPrincipal, false, true, topKey);
+
+  // Propagate the storage permission to same-origin frames in the same
+  // agent-cluster.
+  for (const auto& topContext : aParentContext->Group()->Toplevels()) {
+    if (topContext == aParentContext->Top()) {
+      // In non-fission mode, storage permission is stored in the top-level,
+      // don't need to propagate it to tracker frames.
+      bool useRemoteSubframes;
+      aParentContext->GetUseRemoteSubframes(&useRemoteSubframes);
+      if (!useRemoteSubframes) {
+        continue;
+      }
+      // If parent context is third-party, we already propagate permission
+      // in the child process, skip propagating here.
+      RefPtr<dom::WindowContext> ctx =
+          aParentContext->GetCurrentWindowContext();
+      if (ctx && ctx->GetIsThirdPartyWindow()) {
+        continue;
+      }
+    } else {
+      nsCOMPtr<nsIPrincipal> principal =
+          AntiTrackingUtils::GetPrincipal(topContext);
+      if (!principal) {
+        continue;
+      }
+
+      nsAutoCString key;
+      PermissionManager::GetKeyForPrincipal(principal, false, true, key);
+      // Make sure we only apply to frames that have the same top-level.
+      if (topKey != key) {
+        continue;
+      }
+    }
+
+    topContext->PreOrderWalk([&](BrowsingContext* aContext) {
+      WindowGlobalParent* wgp = aContext->Canonical()->GetCurrentWindowGlobal();
+      if (!wgp) {
+        return;
+      }
+
+      nsAutoCString origin;
+      AntiTrackingUtils::GetPrincipalAndTrackingOrigin(aContext, nullptr,
+                                                       origin);
+      if (aTrackingOrigin == origin) {
+        Unused << wgp->SendSaveStorageAccessPermissionGranted();
+      }
+    });
+  }
+}