spec.bs

<pre class='metadata'>
Title: Shared Storage API
Shortname: sharedStorage
Level: 1
Status: CG-DRAFT
Group: WICG
Repository: WICG/shared-storage
URL: https://github.com/WICG/shared-storage
Editor: Camillia Smith Barnes, Google https://google.com, cammie@chromium.org
Markup Shorthands: markdown yes
Abstract: Shared Storage is a storage API that is intentionally not partitioned by top-level traversable site (though still partitioned by context origin of course!). To limit cross-site reidentification of users, data in Shared Storage may only be read in a restricted environment that has carefully constructed output gates.
</pre>

<pre class=link-defaults>
spec:infra;
    type:dfn;
        text:user agent
        for:/; text:string
    type:dfn;
        for:/; text:list
spec:webidl;
    type:interface;
        text:double
    type:dfn;
        text:an exception was thrown
spec:html;
    type:dfn;
        for:realm; text:global object
        for:WorkerGlobalScope; text:module map
        for:navigable; text:top-level traversable
spec:fenced-frame;
    type:dfn;
        for:fencedframetype; text:fenced frame reporter
        for:browsing context; text:fenced frame config instance
</pre>

<pre class="anchors">
urlPrefix: https://www.ietf.org/rfc/rfc4122.txt
    type: dfn; text: urn uuid
spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
    type: dfn
        text: worklets; url: worklets.html#worklets
        text: added modules list; url: worklets.html#concept-worklet-added-modules-list
        text: set up a worklet environment settings object; url: worklets.html#set-up-a-worklet-environment-settings-object
        text: fetch a worklet/module worker script graph; url: webappapis.html#fetch-a-worklet/module-worker-script-graph
        text: fetch a worklet script graph; url: webappapis.html#fetch-a-worklet-script-graph
        text: processCustomFetchResponse; url: webappapis.html#fetching-scripts-processcustomfetchresponse
        text: environment; url: webappapis.html#environment
        text: worklet event loop; url: webappapis.html#worklet-event-loop
        text: obtaining a worklet agent; url: webappapis.html#obtain-a-worklet-agent
        text: beginning navigation; url: webappapis.html#beginning-navigation
        text: ending navigation; url: webappapis.html#ending-navigation
        text: get the top-level traversable; url: webappapis.html#nav-top
        text: boolean attributes; url: common-microsyntaxes.html#boolean-attributes
        text: content attributes; url: dom.html#concept-element-attributes
        text: update the image data; url: images.html#update-the-image-data
        text: create navigation params by fetching; url: browsing-the-web.html#create-navigation-params-by-fetchin
        text: serialization; for: origin; url: browsers.html#ascii-serialisation-of-an-origin
        text: initialize the navigable; url: document-sequences.html#initialize-the-navigable
spec: url; urlPrefix: https://url.spec.whatwg.org/
    type: dfn
        text: URL; for: /; url: concept-url
spec: dom; urlPrefix: https://dom.spec.whatwg.org/
    type: dfn
        text: origin; for: document; url: concept-document-origin
spec: infra; urlPrefix: https://infra.spec.whatwg.org
    type: dfn
        text: empty; for: map; url: map-is-empty
        text: ASCII; url: ascii-code-point
spec: webidl; urlPrefix: https://webidl.spec.whatwg.org
    type: dfn
        text: Web IDL Standard; url: introduction
        text: async iterator; url: idl-async-iterable
        text: promise; url: idl-promise
        text: promise rejected; url: a-promise-rejected-with
        text: promise resolved; url: a-promise-resolved-with
spec: storage; urlPrefix: https://storage.spec.whatwg.org/
    type: dfn
        text: storage model; url: model
        text: storage type; url: storage-type
        text: storage identifier; url: storage-identifier
        text: storage shed; url: storage-shed
        text: storage shelf; url: storage-shelf
        text: storage bucket; url: storage-bucket
        text: storage bottle; url: storage-bottle
        text: quota; for: storage bottle; url: storage-bottle-quota
        text: register; for: storage endpoint; url: registered-storage-endpoints
        text: quota; for: storage endpoint; url: storage-endpoint-quota
        text: bucket map; url: bucket-map
        text: bottle map; url: bottle-map
        text: storage proxy map; url: storage-proxy-map
        text: backing map; url: storage-proxy-map-backing-map
        text: proxy map reference set; url: storage-bottle-proxy-map-reference-set
spec: beacon; urlPrefix: https://w3c.github.io/beacon/
    type: dfn
        text: beacon; url: beacon
spec: ecma; urlPrefix: https://tc39.es/ecma262/
    type: dfn
        text: call; url: sec-call
        text: current realm; url: current-realm
        text: casting; url: sec-touint32
        text: Get; url: sec-get-o-p
        text: [[GetPrototypeOf]](); for: object; url: sec-ordinary-object-internal-methods-and-internal-slots-getprototypeof
        text: IsConstructor(); url: sec-isconstructor
spec: storage-partitioning; urlPrefix: https://privacycg.github.io/storage-partitioning/
    type: dfn
        text: client-side storage partitioning
spec: fetch; urlPrefix: https://fetch.spec.whatwg.org/
    type: dfn
        text: http network or cache fetch; url: concept-http-network-or-cache-fetch
        text: request-constructor; url: dom-request
spec: permissions-policy; urlPrefix: https://www.w3.org/TR/permissions-policy/
    type: dfn
        text: Is feature enabled in document for origin?; url: algo-is-feature-enabled
spec: attestation; urlPrefix: https://github.com/privacysandbox/attestation
    type: dfn
        text: enrolled
spec: private-aggregation-api; urlPrefix: https://patcg-individual-drafts.github.io/private-aggregation-api/
    type: dfn
        text: Private Aggregation; url:
        text: get the privateAggregation
        text: determine if an origin is an aggregation coordinator
        text: pre-specified report parameters
        for: pre-specified report parameters
            text: context ID
            text: filtering ID max bytes
        text: batching scope
        text: debug scope
        text: process contributions for a batching scope
        text: set the aggregation coordinator for a batching scope
        text: determine if a report should be sent deterministically
        text: mark a debug scope complete
        text: set the pre-specified report parameters for a batching scope
        text: aggregation coordinator
        text: default filtering id max bytes
        text: valid filtering id max bytes range
        text: context id
        text: scoping details
        for: scoping details
            text: get batching scope steps
            text: get debug scope steps
        text: private-aggregation
        for: PrivateAggregation
            text: allowed to use
            text: scoping details; url: #privateaggregation-scoping-details
    type: interface
        text: PrivateAggregation
spec: protected-audience; urlPrefix: https://wicg.github.io/turtledove/
    type: dfn
        for: PermissionsPolicy
            text: run-ad-auction
            text: join-ad-interest-group
        text: get storage interest groups for owner
    type: interface
        text: StorageInterestGroup; url: dictdef-storageinterestgroup
spec: fenced-frame; urlPrefix: https://wicg.github.io/fenced-frame/
    type: dfn
        text: fenced frame; url: the-fencedframe-element
        text: url; for: FencedFrameConfig; url: dom-fencedframeconfig-url
        text: fence.reportEvent(); url: dom-fence-reportevent
        text: FenceEvent; url: dictdef-fenceevent
        text: destination; for: FenceEvent; url: dom-fenceevent-destination
        text: eventData; for: FenceEvent; url: dom-fenceevent-eventdata
        text: eventType; for: FenceEvent; url: dom-fenceevent-eventtype
    type: interface
        text: FencedFrameConfig; url: fencedframeconfig
spec: rfc8941; urlPrefix: https://httpwg.org/specs/rfc8941.html
    type: dfn
        text: structured header; url: specify
        text: list; for: structured header; url: list
        text: parameters; for: structured header; url: param
        text: item; for: structured header; url: item
        text: string; for: structured header; url: string
        text: token; for: structured header; url: token
        text: byte sequence; for: structured header; url: binary
        text: boolean; for: structured header; url: boolean
        text: inner list; for: structured header; url: inner-list
        text: bare item; for: structured header; url: item
spec: wikipedia-entropy; urlPrefix: https://en.wikipedia.org/wiki/Entropy_(information_theory)
    type: dfn
        text: bits of entropy
        text: entropy bits
spec: shared-storage-explainer; urlPrefix: https://github.com/WICG/shared-storage
    type:dfn
        text: legitimate use cases; url: example-scenarios
spec: UUID; urlPrefix: https://www.ietf.org/rfc/rfc4122.txt
    type: dfn
        text: urn uuid; url: urn-uuid
</pre>

<style>
/* adapted from .XXX at https://resources.whatwg.org/standard.css */
.todo {
  color: #D50606;
  background: white;
  border: solid #D50606;
}

span.todo {
  padding-top: 0;
  padding-bottom: 0;
}

.todo::before { content: 'TODO: '; }

span.todo::before {
  left: 0;
  top: -0.25em;
}
</style>

Introduction {#intro}
=====================
<em>This section is not normative.</em>

In order to prevent cross-site user tracking, browsers are partitioning all forms of storage by [=top-level traversable=] site; see [=Client-Side Storage Partitioning=]. But, there are many [=legitimate use cases=] currently relying on unpartitioned storage.

This document introduces a new storage API that is intentionally not partitioned by [=top-level traversable=] site (though still partitioned by context origin), in order to serve a number of the use cases needing unpartitioned storage. To limit cross-site reidentification of users, data in Shared Storage may only be read in a restricted environment, called a worklet, and any output from the worklet is in the form of a [=fenced frame=] or a [=Private Aggregation=] report. Over time, there may be additional ouput gates included in the standard.

<div class="example">
  `a.example` randomly assigns users to groups in a way that is consistent cross-site.

  Inside an `a.example` iframe:
  <pre class="lang-js">
    function generateSeed() { … }
    await window.sharedStorage.worklet.addModule('experiment.js');

    // Only write a cross-site seed to a.example's storage if there isn't one yet.
    window.sharedStorage.set('seed', generateSeed(), { ignoreIfPresent: true });

    let fencedFrameConfig = await window.sharedStorage.selectURL(
      'select-url-for-experiment',
      [
        {url: "blob:https://a.example/123…", reportingMetadata: {"click": "https://report.example/1..."}},
        {url: "blob:https://b.example/abc…", reportingMetadata: {"click": "https://report.example/a..."}},
        {url: "blob:https://c.example/789…"}
      ],
      { data: { name: 'experimentA' } }
    );

    // Assumes that the fenced frame 'my-fenced-frame' has already been attached.
    document.getElementById('my-fenced-frame').config = fencedFrameConfig;
  </pre>

  inside the `experiment.js` worklet script:
  <pre class="lang-js">
    class SelectURLOperation {
      hash(experimentName, seed) { … }

      async run(urls, data) {
        const seed = await this.sharedStorage.get('seed');
        return hash(data.name, seed) % urls.length;
      }
    }
    register('select-url-for-experiment', SelectURLOperation);
  </pre>
</div>

The {{SharedStorageWorklet}} Interface {#worklet}
=================================================
The {{SharedStorageWorklet}} object allows developers to supply [=module scripts=] to process [=Shared Storage=] data and then output the result through one or more of the output gates. Currently there are two output gates, the [=Private Aggregation=] output gate and the {{SharedStorageWorklet/selectURL()|URL-selection}} output gate.

<xmp class='idl'>
  typedef (USVString or FencedFrameConfig) SharedStorageResponse;

  enum SharedStorageDataOrigin { "context-origin", "script-origin" };
</xmp>

<xmp class='idl'>
  [Exposed=(Window)]
  interface SharedStorageWorklet : Worklet {
    Promise<SharedStorageResponse> selectURL(DOMString name,
                                 sequence<SharedStorageUrlWithMetadata> urls,
                                 optional SharedStorageRunOperationMethodOptions options = {});
    Promise<any> run(DOMString name,
                     optional SharedStorageRunOperationMethodOptions options = {});
  };
</xmp>

Each {{SharedStorageWorklet}} has an associated boolean <dfn for="SharedStorageWorklet">addModule initiated</dfn>, initialized to false.

Each {{SharedStorageWorklet}} has an associated {{SharedStorageDataOrigin}} <dfn for="SharedStorageWorklet">data origin</dfn>, initialized to `"context-origin"`.

Each {{SharedStorageWorklet}} has an associated boolean <dfn for="SharedStorageWorklet">has cross-origin data origin</dfn>, initialized to false.

Because adding multiple [=module scripts=] via {{Worklet/addModule()}} for the same {{SharedStorageWorklet}} would give the caller the ability to store data from [=Shared Storage=] in global variables defined in the [=module scripts=] and then exfiltrate the data through later call(s) to {{Worklet/addModule()}}, each {{SharedStorageWorklet}} can only call {{Worklet/addModule()}} once. The [=addModule initiated=] boolean makes it possible to enforce this restriction.

When {{Worklet/addModule()}} is called for a worklet, it will run [=check if addModule is allowed and update state=], and if the result is "DisallowedDueToNonPreferenceError", or if the result is "DisallowedDueToPreferenceError" and the worklet's [=SharedStorageWorklet/has cross-origin data origin=] is false, it will cause {{Worklet/addModule()}} to fail, as detailed in the [[#add-module-monkey-patch]].

  <div algorithm>
    To <dfn>check if user preference setting allows access to shared storage</dfn> given an [=environment settings object=] |environment| and an [=/origin=] |origin|, run the following step:

    1. Using values available in |environment| and |origin| as needed, perform an [=implementation-defined=] algorithm to return either true or false.
  </div>

  <div algorithm>
    To <dfn>determine whether shared storage is allowed by context</dfn>, given an [=environment settings object=] |environment|, an [=/origin=] |origin|, and a boolean |allowedInOpaqueOriginContext|, run these steps:

    1. If |environment| is not a [=secure context=], then return false.
    1. If |allowedInOpaqueOriginContext| is false and |environment|'s [=environment settings object/origin=] is an [=opaque origin=], then return false.
    1. If |origin| is an [=opaque origin=], then return false.
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. [=Assert=]: |globalObject| is a {{Window}} or a {{SharedStorageWorkletGlobalScope}}.
    1. If |globalObject| is a {{Window}}, and if the result of running [=Is feature enabled in document for origin?=] on "[=PermissionsPolicy/shared-storage=]", |globalObject|'s [=associated document=], and |origin| returns false, then return false.
    1. If the result of running [=obtaining a site|obtain a site=] with |origin| is not [=enrolled=], then return false.
    1. Return true.
  </div>

  <div class="note">
    Here are the scenarios where the algorithms [=determine whether shared storage is allowed by context=] and [=check if user preference setting allows access to shared storage=] are used:

    - For creating a worklet, |environment| is the [=environment settings object=] associated with the {{Window}} that created the worklet, and |origin| is the module script url's [=url/origin=].
    - For running operations on a worklet (from a {{Window}}), |environment| is the [=environment settings object=] associated with the {{Window}} that created the worklet, and |origin| is the worklet's [=global scopes=][0]'s [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    - For [[#setter]], |environment| is either the current context (when called from a {{Window}}) or the [=environment settings object=] associated with the {{Window}} that created the worklet (when called from a {{SharedStorageWorkletGlobalScope}}), and |origin| is |environment|'s [=environment settings object/origin=].
    - For [[#ss-fetch-algo]], |environment| is the request's [=request/window=], and |origin| is the request's [=request/current URL=]'s [=url/origin=].
    - For [[#ss-fetch-algo]], for {{SharedStorage/createWorklet()}} called with a cross-origin worklet script using the <var ignore=''>dataOrigin</var> option with value `"script-origin"` (which would result in a worklet where [=SharedStorageWorklet/has cross-origin data origin=] is true), and for {{SharedStorageWorklet/selectURL()}} and {{SharedStorageWorklet/run()}} that operate on a worklet where [=SharedStorageWorklet/has cross-origin data origin=] is true, |allowedInOpaqueOriginContext| is true. For other methods, |allowedInOpaqueOriginContext| is false.
  </div>

  <div algorithm>
    To <dfn>check if addModule is allowed and update state</dfn> given a {{SharedStorageWorklet}} |worklet| and a [=/URL=] |moduleURLRecord|, run the following steps:
    1. If |worklet|'s [=addModule initiated=] is true, return "DisallowedDueToNonPreferenceError".
    1. Set |worklet|'s [=addModule initiated=] to true.
    1. Let |workletDataOrigin| be the [=current settings object=]'s [=environment settings object/origin=].
    1. If |worklet|'s [=SharedStorageWorklet/data origin=] is `"script-origin"`, set |workletDataOrigin| to |moduleURLRecord|'s [=url/origin=].
    1. Let |hasCrossOriginDataOrigin| be false.
    1. If |workletDataOrigin| and the [=current settings object=]'s [=environment settings object/origin=] are not [=same origin=], then set |hasCrossOriginDataOrigin| to true.
    1. Let |allowedInOpaqueOriginContext| be |hasCrossOriginDataOrigin|.
    1. If the result of running [=determine whether shared storage is allowed by context=] given the [=current settings object=], |workletDataOrigin|, and |allowedInOpaqueOriginContext| is false, return "DisallowedDueToNonPreferenceError".
    1. Set |worklet|'s [=SharedStorageWorklet/has cross-origin data origin=] to |hasCrossOriginDataOrigin|.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given the [=current settings object=] and |workletDataOrigin| is false, return "DisallowedDueToPreferenceError".
    1. Return "Allowed".
  </div>

Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes=], initially empty, can contain at most one instance of its [=worklet global scope type=], the {{SharedStorageWorkletGlobalScope}}.

  ## Run Operation Methods on {{SharedStorageWorklet}} ## {#run-op-shared-storage-worklet}

  <div algorithm>
    To <dfn>get the select-url result index</dfn>, given {{SharedStorageWorklet}} |worklet|, {{DOMString}} |operationName|, [=/list=] of [=strings=] |urlList|, an [=/origin=] |workletDataOrigin|, a [=/navigable=] |navigable|, {{SharedStorageRunOperationMethodOptions}} |options|, a [=pre-specified report parameters=] or null |preSpecifiedParams| and an [=aggregation coordinator=] or null |aggregationCoordinator|, run the following steps. This algorithm will return a [=tuple=] consisting of a [=promise=] that resolves into an {{unsigned long}} whose value is the index of the URL selected from |urlList| and a [=/boolean=] indicating whether the [top-level traversable's budgets](#charge-top-trav-budgets) should be [=charge shared storage top-level traversable budgets|charged=].

    1. Let |promise| be a new [=promise=].
    1. Let |window| be |worklet|'s [=relevant settings object=].
    1. [=Assert=]: |window| is a {{Window}}.
    1. If |window|'s [=Window/browsing context=] is null, then return the [=tuple=] of a ([=promise rejected=] with a {{TypeError}}, true).
    1. If |window|'s [=associated document=] is not [=fully active=], return the [=tuple=] of a ([=promise rejected=] with a {{TypeError}}, true).
    1. [=Assert=]: |worklet|'s [=global scopes=]'s [=list/size=] is 1.
    1. Let |globalScope| be |worklet|'s [=global scopes=][0].
    1. Let |moduleMapKeyTuples| be the result of running [=map/get the keys=] on |globalScope|'s [=relevant settings object=]'s [=module map=].
    1. [=Assert=]: |moduleMapKeyTuples| has [=map/size=] 1.
    1. Let |moduleURLRecord| be |moduleMapKeyTuples|[0][0].
    1. Let |savedQueryName| be |options|["`savedQuery`"].
    1. If |savedQueryName| is a [=string=] that is not the empty string, then:
        1. Let |callbackTask| be the result of running [=obtain a callback to process the saved index result=], given |window|, |urlList|, and |promise|.
        1. Let |savedIndex| be the result of running [=get the index for a saved query=] on |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and |callbackTask|.
        1. If |savedIndex| is "pending callback", then return the [=tuple=] (|promise|, false).

            Note: |callbackTask| is now stored to be run when a previously obtained worklet agent completes its operation to select the index for this query. When the steps of |callbackTask| are run, |promise| will be resolved.
        1. If |savedIndex| is an {{unsigned long}}, then:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to run the steps of |callbackTask|, given |savedIndex|.

                Note: Running the steps of |callbackTask| will resolve |promise|.
            1. Return the [=tuple=] (|promise|, false).
        1. [=Assert=] that |savedIndex| is "pending current operation".
    1. [=Queue a task=] on |globalScope|'s [=worklet event loop=] to perform the following steps:
        1. Let |operationMap| be |globalScope|'s [=SharedStorageWorkletGlobalScope/operation map=].
        1. If |operationMap| does not [=map/contain=] |operationName|, then [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}, and abort these steps.

            Note: This could happen if {{SharedStorageWorkletGlobalScope/register()}} was never called with |operationName|.

        1. [=Assert=]: |operationMap|[|operationName|]'s [=associated realm=] is [=this=]'s [=relevant realm=].
        1. Let |operation| be |operationMap|[|operationName|], [=converted to an IDL value|converted=] to {{RunFunctionForSharedStorageSelectURLOperation}}.
        1. Let |privateAggregationCompletionTask| be the result of [=setting up the Private Aggregation scopes=] given |workletDataOrigin|, |preSpecifiedParams| and |aggregationCoordinator|.
        1. Let |argumentsList| be the [=/list=] « |urlList| ».
        1. If |options|["{{SharedStorageRunOperationMethodOptions/data}}"] [=map/exists=], [=list/append=] it to |argumentsList|.
        1. Let |indexPromise| be the result of [=invoking=] |operation| with |argumentsList|.
        1. [=promise/React=] to |indexPromise|:

            <dl class="switch">
                :   If it was fulfilled with value |index|:
                ::  1. If |index| is greater than |urlList|'s [=list/size=], then:
                        1. If |savedQueryName| is a [=string=] that is not the empty string, then run [=store the index for a saved query=] with |window|, |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and the [=default selectURL index=].
                        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}, and abort these steps.

                        Note: The result index is beyond the input urls' size. This violates the selectURL() protocol, and we don't know which url should be selected.

                        Otherwise:
                        1. If |savedQueryName| is a [=string=] that is not the empty string, then run [=store the index for a saved query=] with |window|, |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and |index|.
                        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=resolve=] |promise| with |index|.
                        1. Run |privateAggregationCompletionTask|.

                :   If it was rejected:
                ::  1. If |savedQueryName| is a [=string=] that is not the empty string, then run [=store the index for a saved query=] with |window|, |navigable|, |workletDataOrigin|, |moduleURLRecord|, |operationName|, |savedQueryName|, and the [=default selectURL index=].
                    1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}.

                        Note: This indicates that either |operationCtor|'s run() method encounters an error (where |operationCtor| is the parameter in {{SharedStorageWorkletGlobalScope/register()}}), or the result |index| is a non-integer value, which violates the selectURL() protocol, and we don't know which url should be selected.
                    1. Run |privateAggregationCompletionTask|.
            </dl>
    1. Return the [=tuple=] (|promise|, true).
  </div>

  <div algorithm>
    To <dfn>handle the result of selecting an index</dfn>, given a {{SharedStorageWorklet}} |worklet|, an [=environment settings object=] |environment|, a {{Document}} |document|, a {{sequence}} of {{SharedStorageUrlWithMetadata}} |urls|, a [=list=] of [=strings=] |urlList|, a [=/navigable=] |navigable|, a {{SharedStorageRunOperationMethodOptions}} |options|, a [=traversable navigable/fenced frame config mapping=] |fencedFrameConfigMapping|, a [=urn uuid=] |urn|, a [=/boolean=] |shouldChargeTopLevelBudgets|, a [=/boolean=] |shouldUseDefaultIndex|, and an {{unsigned long}} |resultIndex|, perform the following steps:

    1. Let |site| be the result of running [=obtain a site=] with |document|'s [=Document/origin=].
    1. Let |remainingBudget| be the result of running [=determine remaining navigation budget=] with |environment| and |site|.
    1. Let |pendingBits| be the logarithm base 2 of |urlList|'s [=list/size=].
    1. If |shouldChargeTopLevelBudgets| is true:
        1. Let |pageBudgetResult| be the result of running [=charge shared storage top-level traversable budgets=] with |navigable|, |site|, and |pendingBits|.
        1. If |pageBudgetResult| is false, set |shouldUseDefaultIndex| to true.
    1. If |pendingBits| is greather than |remainingBudget|, set |shouldUseDefaultIndex| to true.
    1. If |shouldUseDefaultIndex| is true, set |resultIndex| to the [=default selectURL index=].
    1. Let |finalConfig| be a new [=fenced frame config=].
    1. Set |finalConfig|'s [=fenced frame config/mapped url=] to |urlList|[|resultIndex|].
    1. Set |finalConfig|'s <span class=todo>a "pending shared storage budget debit" field</span> to |pendingBits|.
    1. [=Finalize a pending config=] on |fencedFrameConfigMapping| with |urn| and |finalConfig|.
    1. Let |resultURLWithMetadata| be |urls|[|resultIndex|].
    1. If |resultURLWithMetadata| has field "`reportingMetadata`", run [=register reporting metadata=] with |resultURLWithMetadata|["`reportingMetadata`"].
    1. If |options|["`keepAlive`"] is false, run [=terminate a worklet global scope=] with |worklet|.

  </div>

  <div algorithm>
    The <dfn method for="SharedStorageWorklet">selectURL(|name|, |urls|, |options|)</dfn> method steps are:

    1. Let |resultPromise| be a new [=promise=].
    1. If [=this=]'s [=addModule initiated=] is false, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |window| be [=this=]'s [=relevant settings object=].
    1. [=Assert=]: |window| is a {{Window}}.
    1. Let |context| be |window|'s [=Window/browsing context=].
    1. If |context| is null, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |preSpecifiedParams| be the result of [=obtaining the pre-specified
        report parameters=] given |options| and |context|.
    1. If |preSpecifiedParams| is a {{DOMException}}, return [=a promise rejected
        with=] |preSpecifiedParams|.
    1. Let |aggregationCoordinator| be the result of [=obtaining the aggregation
        coordinator=] given |options|.
    1. If |aggregationCoordinator| is a {{DOMException}}, return [=a promise
        rejected with=] |aggregationCoordinator|.
    1. Let |document| be |context|'s [=active document=].
    1. If [=this=]'s [=global scopes=] is [=list/empty=], then return a [=promise rejected=] with a {{TypeError}}.

        Note: This can happen if {{SharedStorageWorklet/selectURL()}} is called before {{addModule()}}.
    1. [=Assert=]: [=this=]'s [=global scopes=]'s [=list/size=] is 1.
    1. Let |globalScope| be [=this=]'s [=global scopes=][0].
    1. Let |workletDataOrigin| be |globalScope|'s [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If the result of running [=Is feature enabled in document for origin?=] on "[=PermissionsPolicy/shared-storage-select-url=]", |document|, and |workletDataOrigin| returns false, return a [=promise rejected=] with a {{TypeError}}.
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for |globalScope| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |urls| is empty or if |urls|'s [=list/size=] is greater than 8, return a [=promise rejected=] with a {{TypeError}}.

        Note: 8 is chosen here so that each call of {{SharedStorageWorklet/selectURL()}} can leak at most log2(8) = 3 bits of information when the result fenced frame is clicked. It's not a lot of information per-call.

    1. Let |urlList| be an empty [=list=].
    1. [=map/iterate|For each=] |urlWithMetadata| in |urls|:
        1. If |urlWithMetadata| has no field "`url`", return a [=promise rejected=] with a {{TypeError}}.
        1. Otherwise, let |urlString| be |urlWithMetadata|["`url`"].
        1. Let |serializedUrl| be the result of running [=get the canonical URL string if valid=] with |urlString|.
        1. If |serializedUrl| is undefined, return a [=promise rejected=] with a {{TypeError}}.
        1. Otherwise, [=list/append=] |serializedUrl| to |urlList|.
        1. If |urlWithMetadata| has field "`reportingMetadata`":
            1. Let |reportingMetadata| be |urlWithMetadata|["`reportingMetadata`"].
            1. If the result of running [=validate reporting metadata=] with |reportingMetadata| is false, [=reject=] |resultPromise| with a {{TypeError}} and abort these steps.
    1. Let |navigable| be |window|'s [=associated document=]'s [=node navigable=].
    1. Let |fencedFrameConfigMapping| be |navigable|'s [=navigable/traversable navigable=]'s [=traversable navigable/fenced frame config mapping=].
    1. Let |pendingConfig| be a new [=fenced frame config=].
    1. Let |urn| be the result of running [=fenced frame config mapping/store a pending config=] on |fencedFrameConfigMapping| with |pendingConfig|.
    1. If |urn| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |window|'s [=relevant settings object=].
    1. Let |allowedInOpaqueOriginContext| be [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=].
    1. If the result of running [=determine whether shared storage is allowed by context=] given |environment|, |workletDataOrigin|, and |allowedInOpaqueOriginContext| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |environment| and |workletDataOrigin| is false:
        1. If [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=] is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |options|["`resolveToConfig`"] is true, [=resolve=] |resultPromise| with |pendingConfig|.
    1. Otherwise, [=resolve=] |resultPromise| with |urn|.
    1. Let (|indexPromise|, |shouldChargeTopLevelBudgets|) be the result of running [=get the select-url result index=], given [=this=], |name|, |urlList|, |workletDataOrigin|, |navigable|, |options|, |preSpecifiedParams| and |aggregationCoordinator|.
    1. [=Upon fulfillment=] of |indexPromise| with |resultIndex|, run [=handle the result of selecting an index=] given |worklet|, |environment|, |document|, |urls|, |urlList|, |navigable|, |options|, |fencedFrameConfigMapping|, |urn|, |shouldChargeTopLevelBudgets|, false, and |resultIndex|.
    1. [=Upon rejection=] of |indexPromise|, run [=handle the result of selecting an index=] given |worklet|, |environment|, |document|, |urls|, |urlList|, |navigable|, |options|, |fencedFrameConfigMapping|, |urn|, |shouldChargeTopLevelBudgets|, true, and the [=default selectURL index=].
    1. Return |resultPromise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorageWorklet">run(|name|, |options|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If [=this=]'s [=addModule initiated=] is false, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |window| be [=this=]'s [=relevant settings object=].
    1. [=Assert=]: |window| is a {{Window}}.
    1. Let |context| be |window|'s [=Window/browsing context=].
    1. If |context| is null, then return [=a promise rejected with=] a
        {{TypeError}}.
    1. Let |preSpecifiedParams| be the result of [=obtaining the pre-specified
        report parameters=] given |options| and |context|.
    1. If |preSpecifiedParams| is a {{DOMException}}, return [=a promise rejected
        with=] |preSpecifiedParams|.
    1. Let |aggregationCoordinator| be the result of [=obtaining the aggregation
        coordinator=] given |options|.
    1. If |aggregationCoordinator| is a {{DOMException}}, return [=a promise
        rejected with=] |aggregationCoordinator|.
    1. If [=this=]'s [=global scopes=] is [=list/empty=], then return a [=promise rejected=] with a {{TypeError}}.

        Note: This can happen if {{SharedStorageWorklet/run()}} is called before {{addModule()}}.
    1. [=Assert=]: [=this=]'s [=global scopes=]'s [=list/size=] is 1.
    1. Let |globalScope| be [=this=]'s [=global scopes=][0].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for |globalScope| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |workletDataOrigin| be |globalScope|'s [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. Let |allowedInOpaqueOriginContext| be [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=].
    1. If the result of running [=determine whether shared storage is allowed by context=] given |window|, |workletDataOrigin|, and |allowedInOpaqueOriginContext| is false, [=reject=] |promise| with a {{TypeError}}.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |window| and |workletDataOrigin| is false:
        1. If [=this=]'s [=SharedStorageWorklet/has cross-origin data origin=] is false, [=reject=] |promise| with a {{TypeError}}.
        1. Else, [=resolve=] |promise| with undefined.
        1. Return |promise|.
    1. Return |promise|, and immediately [=obtaining a worklet agent=] given |window| and run the rest of these steps in that agent:

        Note: The |promise|'s resolution should be before and not depend on the execution inside {{SharedStorageWorkletGlobalScope}}. This is because shared storage is a type of unpartitioned storage, and a {{SharedStorageWorkletGlobalScope}} can have access to cross-site data, which shouldn't be leaked via {{SharedStorageWorklet/run()}} (via its success/error result).

        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=resolve=] |promise| with undefined.
        1. If |globalScope|'s [=relevant settings object=]'s [=module map=] is not [=map/empty=]:
            1. Let |operationMap| be [=this=]'s {{SharedStorageWorkletGlobalScope}}'s [=SharedStorageWorkletGlobalScope/operation map=].
            1. If |operationMap| [=map/contains=] |name|:
                1. [=Assert=]: |operationMap|[|name|]'s [=associated realm=] is [=this=]'s [=relevant realm=].
                1. Let |operation| be |operationMap|[|name|], [=converted to an IDL value|converted=] to {{Function}}.
                1. Let |privateAggregationCompletionTask| be the result of [=setting up the Private Aggregation scopes=] given |workletDataOrigin|, |preSpecifiedParams| and |aggregationCoordinator|.
                1. Let |argumentsList| be a new [=/list=].
                1. If |options|["{{SharedStorageRunOperationMethodOptions/data}}"] [=map/exists=], [=list/append=] it to |argumentsList|.
                1. [=Invoke=] |operation| with |argumentsList| and "`report`".
                1. Wait for |operation| to finish running, if applicable.
                1. Run |privateAggregationCompletionTask|.
        1. If |options|["`keepAlive`"] is false:
            1. Wait for |operation| to finish running, if applicable.
            1. Run [=terminate a worklet global scope=] with [=this=].
  </div>

  <div algorithm>
    To <dfn>obtain the aggregation coordinator</dfn> given a
    {{SharedStorageRunOperationMethodOptions}} |options|, perform the following
    steps. They return an [=aggregation coordinator=], null or a {{DOMException}}:

    1. If |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]
        does not [=map/exist=], return null.
    1. If |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]["{{SharedStoragePrivateAggregationConfig/aggregationCoordinatorOrigin}}"]
        does not [=map/exist=], return null.
    1. Return the result of [=obtaining the Private Aggregation coordinator=]
        given
        |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]["{{SharedStoragePrivateAggregationConfig/aggregationCoordinatorOrigin}}"].
  </div>

  <div algorithm>
    To <dfn>obtain the pre-specified report parameters</dfn> given a
    {{SharedStorageRunOperationMethodOptions}} |options| and a [=/browsing
    context=] |context|, perform the following steps. They return a
    [=pre-specified report parameters=], null, or a {{DOMException}}:
    1. If |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"]
        does not [=map/exist=], return null.
    1. Let |privateAggregationConfig| be
        |options|["{{SharedStorageRunOperationMethodOptions/privateAggregationConfig}}"].
    1. Let |contextId| be null.
    1. If |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/contextId}}"]
        [=map/exists=], set |contextId| to
        |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/contextId}}"].
    1. If |contextId|'s [=string/length=] is greater than 64, return a new
        {{DOMException}} with name "`DataError`".
    1. Let |filteringIdMaxBytes| be the [=default filtering ID max bytes=].
    1. If |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/filteringIdMaxBytes}}"]
        [=map/exists=], set |filteringIdMaxBytes| to
        |privateAggregationConfig|["{{SharedStoragePrivateAggregationConfig/filteringIdMaxBytes}}"].
    1. If |filteringIdMaxBytes| is not [=set/contained=] in the [=valid filtering ID
        max bytes range=], return a new {{DOMException}} with name "`DataError`".
    1. If |context|'s [=browsing context/fenced frame config instance=] is not null:
        1. If |filteringIdMaxBytes| is not the [=default filtering ID max bytes=] or
            |contextId| is not null, return a new {{DOMException}} with name
            "`DataError`".
    1. Return a new [=pre-specified report parameters=] with the items:
        : <a spec="private-aggregation-api" for="pre-specified report parameters">context ID</a>
        :: |contextId|
        : [=pre-specified report parameters/filtering ID max bytes=]
        :: |filteringIdMaxBytes|
  </div>

  <div algorithm>
    To <dfn>set up the Private Aggregation scopes</dfn> given an [=/origin=]
    |workletDataOrigin|, a [=pre-specified report parameters=] or null
    |preSpecifiedParams| and an [=aggregation coordinator=] or null
    |aggregationCoordinator|, peform the following steps. They return an
    algorithm.

    Note: The returned algorithm should be run when the associated operation is
        complete.

    1. Let |batchingScope| be a new [=batching scope=].
    1. Let |debugScope| be a new [=debug scope=].
    1. Let |privateAggregationTimeout| be null.
    1. Let |hasRunPrivateAggregationCompletionTask| be false.
    1. Let |privateAggregationCompletionTask| be an algorithm to perform the
        following steps:
        1. If |hasRunPrivateAggregationCompletionTask|, return.
        1. Set |hasRunPrivateAggregationCompletionTask| to true.
        1. [=Mark a debug scope complete=] given |debugScope|.
        1. [=Process contributions for a batching scope=] given
            |batchingScope|, |workletDataOrigin|, "<code>shared-storage</code>"
            and |privateAggregationTimeout|.
    1. If |aggregationCoordinator| is not null, [=set the aggregation coordinator
        for a batching scope=] given |aggregationCoordinator| and |batchingScope|.
    1. If |preSpecifiedParams| is not null:
        1. Let |isDeterministicReport| be the result of [=determining if a report
            should be sent deterministically=] given |preSpecifiedParams|.
        1. If |isDeterministicReport|:
            1. Set |privateAggregationTimeout| to the [=/current wall time=] plus
                the [=deterministic operation timeout duration=].
        1. [=Set the pre-specified report parameters for a batching scope=] given
            |preSpecifiedParams| and |batchingScope|.
        1. If |isDeterministicReport|, run the following steps [=in parallel=]:
            1. Wait until |privateAggregationTimeout|.
            1. Run |privateAggregationCompletionTask|.
    1. Return |privateAggregationCompletionTask|.
  </div>

  The <dfn>deterministic operation timeout duration</dfn> is an
  [=implementation-defined=] non-negative [=duration=] that controls how long a
  Shared Storage operation may make Private Aggregation contributions if it is
  triggering a deterministic report and, equivalently, when that report should
  be sent after the operation begins.

  ## Monkey Patch for [=Worklets=] ## {#worklet-monkey-patch}

  This specification will make some modifications to the [=Worklet=] standard to accommodate the needs of Shared Storage.

  ### Monkey Patch for [=set up a worklet environment settings object=] ### {#set-up-a-worklet-environment-settings-object-monkey-patch}

  The [=set up a worklet environment settings object=] algorithm will need to include an additional parameter: {{Worklet}} |worklet|. The step that defines the |settingsObject|'s [=environment settings object/origin=] should be modified as follows:

    6. Let |settingsObject| be a new [=environment settings object=] whose algorithms are defined as follows:

        ......

        <b>The [=environment settings object/origin=]</b>
          1. Let |workletGlobalScope| be the [=global object=] of <var ignore=''>realmExecutionContext</var>'s Realm component.
          1. If |workletGlobalScope| is not {{SharedStorageWorkletGlobalScope}}, return |origin|.
          1. [=Assert=] that |worklet| is a {{SharedStorageWorklet}}.
          1. If |worklet|'s [=SharedStorageWorklet/data origin=] is `"context-origin"`, return <var ignore=''>outsideSettings</var>'s [=environment settings object/origin=].
          1. Let |pendingAddedModules| be a [=list/clone=] of |worklet|'s [=added modules list=].
          1. [=Assert=]: |pendingAddedModules|'s [=list/size=] is 1.
          1. Let |moduleURL| be |pendingAddedModules|[0].
          1. Return |moduleURL|'s [=url/origin=].

        ......

  ### Monkey Patch for [=create a worklet global scope=] ### {#create-a-worklet-global-scope-monkey-patch}

  The [=create a worklet global scope=] algorithm will need to be modified to pass in the |worklet| parameter:

    5. Let <var ignore=''>insideSettings</var> be the result of [=setting up a worklet environment settings object=] given <var ignore=''>realmExecutionContext</var>, <var ignore=''>outsideSettings</var>, and |worklet|.

  ### Monkey Patch for [=fetch a worklet script graph=] ### {#fetch-a-worklet-script-graph-monkey-patch}

  The algorithm [=fetch a worklet script graph=] calls into the <a href="https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-worklet/module-worker-script-graph">fetch a worklet/module worker script graph</a> algorithm, which takes in an algorithm parameter |processCustomFetchResponse|. The definition of that |processCustomFetchResponse| parameter will need to include the following step before the step "5. [=Fetch=] |request|, ...":

    5. If |fetchClient|'s [=environment settings object/global object=] is {{SharedStorageWorkletGlobalScope}}:
        1. Set |request|'s [=request/redirect mode=] to "<code>error</code>".

            Note: For shared storage, redirects are disallowed for the module script request. With this restriction, it's possible to define and to use the algorithm that gets the |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] (as described in [[#set-up-a-worklet-environment-settings-object-monkey-patch]]) as soon as the {{SharedStorageWorkletGlobalScope}} is created, as the origin won't change. This restriction may be removed in a future iteration of the design. If redirects become allowed, presumably, the algorithm that gets the |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] should be updated to return the final request's [=request/URL=]'s [=url/origin=] after receiving the final request's response, and the user preference checkings shall only be done after that point.

        1. If |fetchClient|'s [=environment settings object/origin=] and |settingsObject|'s [=environment settings object/origin=] are not [=same origin=]:
            1. Let |dataOriginValue| be the [=origin/serialization=] of |settingsObject|'s [=environment settings object/origin=].
            1. [=Assert=] that |dataOriginValue| is not null.
            1. [=header list/Append=] the [=header=] ([:Sec-Shared-Storage-Data-Origin:], |dataOriginValue|) to |request|'s [=request/header list=].

  ### The [:Shared-Storage-Cross-Origin-Worklet-Allowed:] HTTP response header ### {#worklet-allowed-header}

  The [:Shared-Storage-Cross-Origin-Worklet-Allowed:] HTTP response header, along with the traditional CORS headers, can be used to grant a cross-origin site the permission to create a worklet from the module script's [=/URL=]'s [=url/origin=], and to run subsequent operations on the worklet using the module script's [=/URL=]'s [=url/origin=] as the <dfn for="SharedStorage">data partition origin</dfn> for accessing shared storage data, i.e. the [=environment settings object/origin=] set in [[#set-up-a-worklet-environment-settings-object-monkey-patch]], which becomes the [=url/origin=] used in all {{SharedStorage}} calls to [=obtain a shared storage bottle map=].

  Worklets that load cross-origin scripts rely on CORS as a baseline permission mechanism to indicate trusted external origins. However, CORS alone is insufficient for creation of a worklet with cross-origin script whose [=data partition origin=] is the script origin. Unlike simple resource sharing, worklets allow the creator site to execute JavaScript within the context of the target origin. To ensure security, an additional response header, [:Shared-Storage-Cross-Origin-Worklet-Allowed:], is required from the script origin.

  ### Monkey Patch for [=HTTP fetch=] ### {#http-fetch-monkey-patch}
  [Steps](#mod-http-fetch) will need to be added to the [=HTTP fetch=] algorithm.

  Note: It is the responsibility of the site serving the module script to carefully consider the security implications: when the module script's [=/URL=]'s [=url/origin=] and the worklet's creator {{Window}} origin are not [=same origin=], by sending permissive CORS headers the [:Shared-Storage-Cross-Origin-Worklet-Allowed:] header on the module script response, the server will be granting the worklet's creation and subsequent operations on the worklet, while allowing the worklet to use the worklet's script's [=url/origin=] as the [=url/origin=] for accessing the shared storage data, i.e. the [=data partition origin=]. For example, the worklet's creator {{Window}} could poison and use up the worklet origin's [=/site=]'s [=site/remaining navigation budget=] by calling {{SharedStorageWorklet/selectURL()}} or {{SharedStorageWorklet/run()}}, where the worklet origin is the global scope's [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].

  ### Monkey Patch for {{Worklet/addModule()}} ### {#add-module-monkey-patch}

  The {{Worklet/addModule()}} method steps for {{Worklet}} will need to include the following step before the step "Let |promise| be a new promise":

    4. If |this| is of type {{SharedStorageWorklet}}:
        1. Let |addModuleAllowedResult| be the result of running [=check if addModule is allowed and update state=] given |this| and <var ignore=''>moduleURLRecord</var>.
        1. If |addModuleAllowedResult| is "DisallowedDueToNonPreferenceError":
            1. Return [=a promise rejected with=] a {{TypeError}}.
        1. Else if |addModuleAllowedResult| is "DisallowedDueToPreferenceError":
            1. If |this|'s [=SharedStorageWorklet/has cross-origin data origin=] is false, then return [=a promise rejected with=] a {{TypeError}}.
        1. Else:
            1. [=Assert=]: |addModuleAllowedResult| is "Allowed".

    <div class="note">
    On user preferences error, {{Worklet/addModule()}} will be aborted at an early stage. However, the error will only be exposed to the caller for a same-origin worklet (i.e. where the initiator document's origin is same-origin with the module script's origin). For a cross-origin worklet, the error will be hidden. This is to prevent a caller from knowing which origins the user has disabled shared storage for via preferences (if a per-origin preference exists for that browser vendor).

    A caller may still use timing attacks to know this information, but this is a minor security/privacy issue, as in reality very few users would set such preferences, and doing a wide search would incur a significant performance cost spinning up the worklets.

    This rationale also applies to the handling for user preferences error for {{SharedStorageWorklet/selectURL()}} and {{SharedStorageWorklet/run()}}.
    </div>

  The penultimate step (i.e. the final indented step), currently "If |pendingTasks| is 0, then [=resolve=] |promise|.", should be updated to:

    2. If |pendingTasks| is 0, perform the following steps:
        1. If |workletGlobalScope| has an associated boolean [=addModule success=], set |workletGlobalScope|'s [=addModule success=] to true.
        2. [=Resolve=] |promise|.

  Just before the final step, currently "Return <var ignore>promise</var>.", add the following step:

    7. If |this| is a {{SharedStorageWorklet}}, [=upon fulfillment=] of |promise| or
        [=upon rejection=] of |promise|, run the following steps:
        1. Let |globalScopes| be |this|'s [=Worklet/global scopes=].
        1. [=Assert=]: |globalScopes|' [=list/size=] equals 1.
        1. Let |privateAggregationObj| be |globalScopes|[0]'s
            {{SharedStorageWorkletGlobalScope/privateAggregation}}.
        1. Set |privateAggregationObj|'s [=PrivateAggregation/allowed to use=] to
            the result of determining whether [=this=]'s [=relevant global
            object=]'s [=associated document=] is [=/allowed to use=] the
            "<code>[=private-aggregation=]</code>" [=policy-controlled feature=].

            Issue: Consider adding an early return here if the permissions
                policy check is made first.
        1. Set |privateAggregationObj|'s [=PrivateAggregation/scoping details=] to a
                new [=/scoping details=] with the items:
            : [=scoping details/get batching scope steps=]
            :: An algorithm that returns the [=batching scope=] that is scheduled to
                be passed to [=process contributions for a batching scope=] when the
                call currently executing in |scope| returns.
            : [=scoping details/get debug scope steps=]
            :: An algorithm that returns the [=debug scope=] that is scheduled to be
                passed to [=mark a debug scope complete=] when the call currently
                executing in |scope| returns.

            Note: Multiple operation invocations can be in-progress at the same
            time, each with a different batching scope and debug scope. However,
            only one can be currently executing.

  <span class=todo>Add additional monkey patch pieces for out-of-process worklets.</span>

  ## The {{SharedStorageWorkletGlobalScope}} ## {#global-scope}

  The {{SharedStorageWorklet}}'s [=worklet global scope type=] is {{SharedStorageWorkletGlobalScope}}.

  The {{SharedStorageWorklet}}'s [=worklet destination type=] is "sharedstorageworklet".

  ### Monkey Patch for request [=request/destination=] ### {#request-destination-monkey-patch}

  The fetch request's [=request/destination=] field should additionally include "sharedstorageworklet" as a valid value.

  <xmp class='idl'>
    callback RunFunctionForSharedStorageSelectURLOperation = Promise<unsigned long>(sequence<USVString> urls, optional any data);
  </xmp>

  <xmp class='idl'>
    [Exposed=SharedStorageWorklet, Global=SharedStorageWorklet]
    interface SharedStorageWorkletGlobalScope : WorkletGlobalScope {
      undefined register(DOMString name,
                         Function operationCtor);

      readonly attribute SharedStorage sharedStorage;
      readonly attribute PrivateAggregation privateAggregation;

      Promise<sequence<StorageInterestGroup>> interestGroups();
    };
  </xmp>

  Each {{SharedStorageWorkletGlobalScope}} has an associated [=environment settings object=] <dfn for=SharedStorageWorkletGlobalScope>outside settings</dfn>, which is the associated {{SharedStorageWorklet}}'s [=relevant settings object=].

  Each {{SharedStorageWorkletGlobalScope}} has an associated [=/boolean=] <dfn for=SharedStorageWorkletGlobalScope>addModule success</dfn>, which is initialized to false.

  Each {{SharedStorageWorkletGlobalScope}} also has an associated <dfn for=SharedStorageWorkletGlobalScope>operation map</dfn>, which is a [=map=], initially empty, of [=strings=] (denoting operation names) to [=function objects=].

  Each {{SharedStorageWorkletGlobalScope}} also has an associated {{SharedStorage}} instance, with the [=SharedStorageWorkletGlobalScope/sharedStorage getter=] algorithm as described below.

  ### {{SharedStorageWorkletGlobalScope}} algorithms ### {#scope-algo}
  <div algorithm>
    The <dfn method for="SharedStorageWorkletGlobalScope">register(|name|, |operationCtor|)</dfn> method steps are:

    1. If |name| is missing or empty, throw a {{TypeError}}.
    1. Let |operationMap| be this {{SharedStorageWorkletGlobalScope}}'s [=SharedStorageWorkletGlobalScope/operation map=].
    1. If |operationMap| [=map/contains=] an [=map/entry=] with [=map/key=] |name|, throw a {{TypeError}}.
    1. If |operationCtor| is missing, throw a {{TypeError}}.
    1. Let |operationClassInstance| be the result of [=constructing=] |operationCtor|, with no arguments.
    1. Let |runFunction| be [=Get=](|operationClassInstance|, "`run`"). Rethrow any exceptions.
    1. If <a abstract-op>IsCallable</a>(|runFunction|) is false, throw a {{TypeError}}.
    1. [=map/Set=] the value of |operationMap|[|name|] to |runFunction|.
  </div>

  Issue(151): The "name" and "operationCtor" cannot be missing here given WebIDL. Should just check for default/empty values.

  <div algorithm>
    The <dfn method for="SharedStorageWorkletGlobalScope">interestGroups()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be |globalObject|'s [=Window/browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |document| be |context|'s [=active window=]'s [=associated document=].
    1. If |document| is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |workletDataOrigin| be [=current realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If the result of running [=Is feature enabled in document for origin?=] on "[=PermissionsPolicy/run-ad-auction=]", |document|, and |workletDataOrigin| returns false, then return a [=promise rejected=] with a {{TypeError}}.
    1. If the result of running [=Is feature enabled in document for origin?=] on "[=PermissionsPolicy/join-ad-interest-group=]", |document|, and |workletDataOrigin| returns false, then return a [=promise rejected=] with a {{TypeError}}.
    1. Run the following steps [=in parallel=]:
        1. Let |interestGroups| be the result of running [=get storage interest groups for owner=] given |workletDataOrigin|.
        1. If |interestGroups| is failure:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |interestGroups|.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn for="SharedStorageWorkletGlobalScope">{{SharedStorageWorkletGlobalScope/sharedStorage}} getter</dfn> steps are:

    1. If [=this=]'s [=addModule success=] is true, return [=this=]'s {{SharedStorageWorkletGlobalScope/sharedStorage}}.
    1. Otherwise, throw a {{TypeError}}.
  </div>

  <div algorithm="privateAggregation getter">
    The {{SharedStorageWorkletGlobalScope/privateAggregation}} [=getter steps=] are to:

    1. [=Get the privateAggregation=] given [=this=].
  </div>

  <div algorithm>
    To <dfn for="SharedStorageWorkletGlobalScope">check whether addModule is finished</dfn>, the step is:

    1. Return the value of [=addModule success=].
  </div>

  ## {{SharedStorageUrlWithMetadata}} and Reporting ## {#reporting}

  <xmp class='idl'>
    dictionary SharedStorageUrlWithMetadata {
      required USVString url;
      object reportingMetadata;
    };
  </xmp>

  If a {{SharedStorageUrlWithMetadata}} [=dictionary=] contains a non-[=map/empty=] {{SharedStorageUrlWithMetadata/reportingMetadata}} {{/object}} in the form of a [=dictionary=] whose [=map/keys=] are {{FenceEvent}}'s {{FenceEvent/eventType}}s and whose [=map/values=] are [=strings=] that parse to valid [=/URLs=], then these {{FenceEvent/eventType}}-[=/URL=] pairs will be [=register reporting metadata|registered=] for later access within any [=fenced frame=] that loads the {{SharedStorageResponse}} resulting from this {{SharedStorageWorklet/selectURL()}} call.

  Issue(141): {{SharedStorageUrlWithMetadata/reportingMetadata}} should be a [=dictionary=].

  Inside a [=fenced frame=] with {{FenceEvent/eventType}}-[=/URL=] pairs that have been [=register reporting metadata|registered=] through {{SharedStorageWorklet/selectURL()}} with {{SharedStorageUrlWithMetadata/reportingMetadata}} {{/object}}s, if {{reportEvent()}} is called on a {{FenceEvent}} with a {{FenceEvent/destination}} [=list/containing=] "`shared-storage-select-url`" and that {{FenceEvent}}'s corresponding {{FenceEvent/eventType}} is triggered, then the {{FenceEvent}}'s {{FenceEvent/eventData}} will be sent as a [=beacon=] to the registered [=/URL=] for that {{FenceEvent/eventType}}.

  <div algorithm>
    To <dfn>validate reporting metadata</dfn>, given an {{/object}} |reportingMetadata|, run the following steps:

    1. If |reportingMetadata| is not a [=dictionary=], return false.
    1. If |reportingMetadata| is [=map/empty=], return true.
    1. [=map/iterate|For each=] <var ignore="">eventType</var> → |urlString| of |reportingMetadata|, if the result of running [=get the canonical URL string if valid=] with |urlString| is undefined, return false.
    1. Return true.
  </div>

  <div algorithm>
    To <dfn>get the canonical URL string if valid</dfn>, given a [=string=] |urlString|, run the following steps:

    1. Let |url| be the result of running a [=URL parser=] on |urlString|.
    1. If |url| is not a valid [=/URL=], return undefined.
    1. Otherwise, return the result of running a [=URL serializer=] on |url|.
  </div>

  <div algorithm>
    To <dfn>register reporting metadata</dfn>, given an {{/object}} |reportingMetadata| and a [=fenced frame config=] |fencedFrameConfigStruct|, run the following steps:

    1. If |reportingMetadata| is [=map/empty=], return.
    1. [=Assert=]: |reportingMetadata| is a [=dictionary=].
    1. Let |reportingUrlMap| be an [=map/empty=] [=map=].
    1. [=map/iterate|For each=] |eventType| → |urlString| of |reportingMetadata|:
        1. Let |url| be the result of running a [=URL parser=] on |urlString|.
        1. [=Assert=]: |url| is a valid [=/URL=].
        1. [=map/Set=] |reportingUrlMap|[|eventType|] to |url|.

    Issue(144): Store |reportingUrlMap| inside a [=fenced frame reporter=] class associated with |fencedFrameConfigStruct|. Both of these still need to be added to the draft [[Fenced-Frame]].
  </div>


  ## Entropy Budgets ## {#budgets}

  Because [=bits of entropy=] can leak via {{SharedStorageWorklet/selectURL()}}, the [=user agent=] will need to maintain budgets to limit these leaks.

  On a call to {{SharedStorageWorklet/selectURL()}}, when any of these budgets are exhausted, the [=default selectURL index=] will be used to determine which URL to select.

  <div algorithm>
    To <dfn>get the default selectURL index</dfn>, given {{sequence}}<{{USVString}}> |urls|, run the following steps:

    1. Return 0.

        Note: We could have chosen to return any {{unsigned long}} from the [=the exclusive range|range=] from 0 to |urls|’s [=list/size=], exclusive, as long as the returned index was independent from the registered operation class's "`run`" method.
  </div>

  The <dfn>default selectURL index</dfn> is the index obtained by running [=get the default selectURL index=], given {{sequence}}<{{USVString}}> <var ignore=''>urls</var>.

  ### Navigation Entropy Budget ### {#nav-budget}

  If a user [=user activation|activates=] a [=fenced frame=] whose [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=] was generated by {{SharedStorageWorklet/selectURL()}} and thereby initiates a [=top-level traversable=] [=navigate|navigation=], this will reveal to the landing page that its [=/URL=] was selected, which is a leak in [=entropy bits=] of up to logarithm base 2 of the number of input [=/URLs=] for the call to {{SharedStorageWorklet/selectURL()}}. To mitigate this, a [=user agent=] will set a per-[=/site=] [=navigation entropy allowance=].

  A <dfn>navigation entropy allowance</dfn> is a maximum allowance of [=entropy bits=] that are permitted to leak via [=fenced frames=] initiating [=top-level traversable=] [=navigate|navigations=] during a given [=navigation budget epoch=] for a given calling [=/site=]. This [=navigation entropy allowance|allowance=] is defined by the [=user agent=] and is [=/site=]-agnostic.

  A [=user agent=] will define a fixed predetermined [=duration=] <dfn>navigation budget lifetime</dfn>.

  An <dfn>navigation budget epoch</dfn> is any interval of time whose [=duration=] is the [=navigation budget lifetime=].

  To keep track of how this [=navigation entropy allowance=] is used, the [=user agent=] uses a <dfn>shared storage navigation budget table</dfn>, which is a [=map=] of [=/sites=] to [=navigation entropy ledgers=].

  An <dfn>navigation entropy ledger</dfn> is a [=/list=] of [=bit debits=].

  A <dfn>bit debit</dfn> is a [=struct=] with the following [=struct/items=]:

  <dl dfn-for="bit debit">
    : <dfn>bits</dfn>
    :: a {{double}}

    : <dfn>timestamp</dfn>
    :: a {{DOMHighResTimeStamp}} (from the [=Unix Epoch=])
  </dl>

  [=Bit debits=] whose [=bit debit/timestamps=] precede the start of the current [=navigation budget epoch=] are said to be <dfn for="bit debit">expired</dfn>.

  When a leak occurs, its value in [=entropy bits=] is calculated and stored for that [=/site=], along with the current time as a [=bit debit/timestamp=], together as a [=bit debit=] in the [=shared storage navigation budget table=].

 Each [=/site=] has an associated double <dfn for="site">remaining navigation budget</dfn>, whose value is the [=navigation entropy allowance=] minus any [=bit debits=] whose [=bit debit/timestamps=] are within the current [=navigation budget epoch=].

  When a [=/site=] has insufficient [=site/remaining navigation budget=], {{SharedStorageWorklet/selectURL()}} will return a {{SharedStorageResponse}} (i.e. either a {{FencedFrameConfig}} or a [=urn uuid=]) for the {{SharedStorageUrlWithMetadata/url}} in the {{SharedStorageUrlWithMetadata}} at the [=default selectURL index=].

  <div algorithm>
    To <dfn>determine remaining navigation budget</dfn>, given an [=environment settings object=] |environment| and a [=/site=] |site|, run the following steps:

    1. [=Assert=]: |site| is not an [=opaque origin=].
    1. Let |maxBits| be the [=user agent=]'s [=navigation entropy allowance=].
    1. If the [=user agent=]'s [=shared storage navigation budget table=] does not [=map/contain=] |site|, then return |maxBits|.
    1. Otherwise, let |ledger| be [=user agent=]'s [=shared storage navigation budget table=][|site|].
    1. Let |debitSum| be 0.
    1. [=map/iterate|For each=] [=list/item=] |bitDebit| in |ledger|, do the following steps:
        1. Let |debit| be |bitDebit|'s [=bit debit/bits=].
        1. If the result of running [=check whether a bit debit is expired=] with |environment| and |bitDebit| is false, then increment |debitSum| by |debit|.
    1. Return |maxBits| &minus; |debitSum|.
  </div>

  <div algorithm>
    To <dfn>check whether a bit debit is expired</dfn>, given an [=environment settings object=] |environment| and a [=bit debit=] |bitDebit|, run the following steps:

    1. Let |epochLength| be the [=user agent=]'s [=navigation budget lifetime=].
    1. Let |currentTime| be |environment|'s [=environment settings object/current wall time=].
    1. Let |threshold| be |currentTime| &minus; |epochLength|.
    1. If |bitDebit|'s [=bit debit/timestamp=] is less than |threshold|, return true.
    1. Otherwise, return false.
  </div>

  A [=bit debit=] will need to be [=charge shared storage navigation budget|charged=] to the [=shared storage navigation budget table=] for each [=top-level traversable=] [=navigate|navigation=] initiated by a [=fenced frame=] whose [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=] was generated via {{SharedStorageWorklet/selectURL()}}, as this can leak cross-site data. Since the [=bit debit/bits=] to charge is calculated during the call to {{SharedStorageWorklet/selectURL()}} but only actually recorded in the [=shared storage navigation budget table=] if and when the resulting fenced frame initiates a [=top-level traversable=] [=beginning navigation|navigation=], the [=bit debit/bits=] must be stored as a <dfn>pending shared storage budget debit</dfn> in the corresponding fenced frame's [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=] until this time.

  Issue(148): Move the definition of [=pending shared storage budget debit=] to [=fenced frame config instance=] in the draft [[Fenced-Frame]] specification.

  Between [=beginning navigation=] and [=ending navigation=], a [=user agent=] will perform the [=charge shared storage navigation budget=] algorithm.

  Issue(138): Need to find a better way to specify timing of the navigation budget charging.

  <div algorithm>
    To <dfn>charge shared storage navigation budget</dfn> during a [=beginning navigation|navigation=] with [=/navigable=] |navigable| and {{Document}} |sourceDocument|, run the following steps:

    1. If |navigable| is not a [=top-level traversable=], return.
    1. Let |currentNavigable| be |sourceDocument|'s [=node navigable=].
    1. While |currentNavigable| is not null:
        1. Let |site| be the result of running [=obtain a site=] with |currentNavigable|'s [=active document=]'s [=Document/origin=].
        1. Let |instance| be |currentNavigable|'s [=Node/node document=]'s [=Document/browsing context=]'s [=browsing context/fenced frame config instance=].
        1. Set |currentNavigable| to |currentNavigable|'s [=navigable/parent=].
        1. If |instance| is null or |site| is an [=opaque origin=], then [=iteration/continue=].
        1. Let |pendingBits| be |instance|'s [=pending shared storage budget debit=].
        1. If |pendingBits| is not greater than 0, then [=iteration/continue=].
        1. Let |ledger| be [=user agent=]'s [=shared storage navigation budget table=][|site|].
        1. Let |bitDebit| be a new [=bit debit=].
        1. Set |bitDebit|'s [=bit debit/bits=] to |pendingBits|.
        1. Let |currentTime| be the [=/current wall time=].
        1. Set |bitDebit|'s [=bit debit/timestamp=] to |currentTime|.
        1. [=list/Append=] |bitDebit| to |ledger|.
        1. Set |pendingBits| to 0.
  </div>

  A [=user agent=] may wish to set a timer to periodically [=purge expired bit debits from all navigation entropy ledgers=], as the [=bit debit/expired=] [=bit debits=] will no longer be needed.

  <div algorithm>
    To <dfn>purge expired bit debits from all navigation entropy ledgers</dfn>, run the following steps:

    1. [=map/iterate|For each=] <var ignore="">origin</var> → |ledger| of [=user agent=]'s [=shared storage navigation budget table=]:
        1. [=map/iterate|For each=] |bitDebit| in |ledger|, if the result of running [=check whether a bit debit is expired=] with |bitDebit| is true, [=list/remove=] |bitDebit| from |ledger|.
  </div>

  ### [=Top-Level Traversable=] Entropy Budgets ### {#top-budgets}

  In the short term, while we have less-restrictive [=fenced frames=], it is necessary to impose additional limits as follows.

  Each [=user agent=] will specify a maximum <dfn>overall page entropy allowance</dfn> and a maximum <dfn>site page entropy allowance</dfn>, where the former is the total number of bits allowed to leak for {{SharedStorageWorklet/selectURL()}} per [=top-level traversable=], where the latter is the total number of bits allowed to leak for {{SharedStorageWorklet/selectURL()}} per [=site=] per [=top-level traversable=]

  The <dfn for="traversable navigable">shared storage page budget</dfn> is a [=struct=] with the following [=struct/items=]:

  <dl dfn-for="shared storage page budget">
    : <dfn>overall budget</dfn>
    :: a {{double}}

    : <dfn>site budget map</dfn>
    :: a [=map=] of [=site=] to {{double}}

    : <dfn>saved query map</dfn>
    :: a [=map=] of [=tuples=] ([=url/origin=] <dfn for="saved query map" export>data origin</dfn>, [=/URL=] <dfn for="saved query map" export>worklet script URL</dfn>, [=string=] <dfn for="saved query map" export>operation name</dfn>, [=string=] <dfn for="saved query map" export>query name</dfn>) to [=saved query data=]
  </dl>

  The <dfn for="shared storage page budget">saved query data</dfn> is a [=struct=] with the following [=struct/items=]:

  <dl dfn-for="saved query data">
    : <dfn>index</dfn>
    :: a {{long}}

    : <dfn>callbacks</dfn>
    :: a [=queue=] of [=tasks=]
  </dl>

  #### Monkey patch for [=navigable/Traversable Navigables=] #### {#patch-trav-nav}

  In [[HTML]]'s <a
href=https://html.spec.whatwg.org/multipage/document-sequences.html#traversable-navigable>Traversable
navigables</a> section, add the following:

  In addition to the properties of a [=/navigable=], a [=navigable/traversable navigable=] has:

   * An <dfn for="traversable navigable">page budget</dfn>, a [=shared storage page budget=] or null, initially null.


  #### Monkey patch for [=/Navigables=] #### {#patch-navigables}

  Modify the [=initialize the navigable=] algorithm by adding the following steps at the end:

    1. If <var ignore=''>parent</var> is null and |navigable| is a [=navigable/traversable navigable=], then:
        1. Let |newPageBudget| be a [=shared storage page budget=] with an empty [=shared storage page budget/site budget map=].
        1. Set |newPageBudget|'s [=overall budget=] to [=overall page entropy allowance=].
        1. Set |navigable|'s [=page budget=] to |newPageBudget|.

  #### Saved queries #### {#saved-queries}

  <div algorithm>
    To <dfn>get the index for a saved query</dfn>, given [=/navigable=] |navigable|, [=url/origin=] |origin|, [=/URL=] |moduleURLRecord|, [=string=] |operationName|, [=string=] |savedQueryName|, and [=task=] |callbackTask|:

    1. Let |topLevelTraversable| be the result of running [=get the top-level traversable=] for |navigable|.
    1. [=Assert=] that |topLevelTraversable|'s [=page budget=] is not null.
    1. If |topLevelTraversable|'s [=page budget=]'s [=saved query map=] does not [=map/contain=] (|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|), then:
        1. [=map/Set=] |topLevelTraversable|'s [=page budget=]'s [=saved query map=][(|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|)] to a new [=saved query data=] struct |queryData|.
        1. Set |queryData|'s [=saved query data/index=] value to -1.
        1. Return "pending current operation".
    1. Let |savedIndex| be |topLevelTraversable|'s [=page budget=]'s [=saved query map=][(|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|)]'s  [=saved query data/index=].
    1. If |savedIndex| is -1:
        1. [=queue/Enqueue=] |callbackTask| to |queryData|'s [=saved query data/callbacks=].
        1. Return "pending callback".
    1. Return |savedIndex|.
  </div>

      Note: The [=get the index for a saved query=] algorithm returns "pending current operation" to indicate that the index value is pending the result of [=queueing a task=] on the {{SharedStorageWorkletGlobalScope}}'s [=worklet event loop=] to perform the [=registered=] operation.

      Note: The [=get the index for a saved query=] algorithm returns "pending callback" to indicate that a [=task=] to determine the result of the index was previously [=queue a task|queued=] on the {{SharedStorageWorkletGlobalScope}}'s [=worklet event loop=], and that we are now queueing an additional <var ignore=''>callbackTask</var> to be run when the original [=task=] has completed.

  <div algorithm>
    To <dfn>store the index for a saved query</dfn>, given {{Window}} |window|, [=/navigable=] |navigable|, [=url/origin=] |origin|, [=/URL=] |moduleURLRecord|, [=string=] |operationName|, [=string=] |savedQueryName|, and {{unsigned long}} |index|:

    1. Let |topLevelTraversable| be the result of running [=get the top-level traversable=] for |navigable|.
    1. [=Assert=] that |topLevelTraversable|'s [=page budget=] is not null.
    1. Let |queryData| be |topLevelTraversable|'s [=page budget=]'s [=saved query map=][(|origin|, |moduleURLRecord|, |operationName|, |savedQueryName|)].
    1. [=map/Set=] |queryData|'s [=saved query data/index=] to |index|.
    1. [=While=] |queryData|'s [=saved query data/callbacks=] is not empty:
        1. [=queue/Dequeue=] the next [=task=] |callbackTask| from |queryData|'s [=saved query data/callbacks=], and [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to run the steps of |callbackTask|, given |index|.
  </div>

  <div algorithm>
    To <dfn>obtain a callback to process the saved index result</dfn>, given {{Window}} |window|, [=/list=] of {{SharedStorageUrlWithMetadata}}s |urlList|, [=promise=] |promise|, perform the following steps. They return an algorithm.

    1. Let |processIndexTask| be an algorithm to perform the following steps, given an {{unsigned long}} |index|:
        1. If |index| is greater than |urlList|'s [=list/size=], then [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=reject=] |promise| with a {{TypeError}}.

                Note: The result index is beyond the input urls' size. This violates the selectURL() protocol, and we don't know which url should be selected.
        1.  Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |window|, to [=resolve=] |promise| with |index|.
    1. Return |processIndexTask|.
  </div>

  #### Charging the [=Top-Level Traversable=] Entropy Budgets #### {#charge-top-trav-budgets}

 <div algorithm>
    To <dfn>charge shared storage top-level traversable budgets</dfn> given a [=/navigable=] |navigable|, [=site=] |site|, and double |pendingBits|, run the following steps:

    1. Let |topLevelTraversable| be the result of running [=get the top-level traversable=] for |navigable|.
    1. [=Assert=] that |topLevelTraversable|'s [=page budget=] is not null.
    1. If |pendingBits| is greater than |topLevelTraversable|'s [=page budget=]'s [=overall budget=], then return false and abort these steps.
    1. If |topLevelTraversable|'s [=page budget=]'s [=site budget map=] does not [=map/contain=] |site|, then [=map/set=] |topLevelTraversable|'s [=page budget=]'s [=site budget map=] [|site|] to [=site page entropy allowance=].
    1. If |pendingBits| is greater than |topLevelTraversable|'s [=page budget=]'s [=site budget map=] [|site|], then return false and abort these steps.
    1. Decrement |topLevelTraversable|'s [=page budget=]'s [=site budget map=] [|site|] by |pendingBits|.
    1. Decrement |topLevelTraversable|'s [=page budget=]'s [=overall budget=] by |pendingBits|.
    1. Return true.

  </div>

Shared Storage's Backend {#backend}
===================================
The Shared Storage API will integrate into the [=Storage Model|Storage API=] as below, via [=storage endpoint/registering=] a new [=storage endpoint=].

  ## Monkey Patch for the [=Storage Model=] ## {#storage-monkey-patch}

  This standard will add a new [=storage type=] "`shared`" to the [=Storage Model=].

  A [=user agent=] holds a [=shared storage shed=] for [=storage endpoints=] of [=storage type|type=] "`shared`".

  This standard will also [=storage endpoint/register=] a [=storage endpoint=] of [=storage type|type=] "`shared`" with [=storage identifier=] "`sharedStorage`" and [=storage endpoint/quota=] `5`<sup>`4`</sup> `*` `2`<sup>`16`</sup> bytes (i.e. 39.0625 mebibytes).

  <span class=todo>This [=storage endpoint/quota=] is calculated from the current implementation. Consider bringing the current implementation in line with the spec for [=storage endpoints=] "`localStorage`" and "`sessionStorage`", i.e. `5 * 2`<sup>`20`</sup> bytes. For example, decreasing the per-origin entry limit from 10,000 to 1,280 would achieve this.</span>

  A <dfn>shared storage shed</dfn> is a [=map=] of [=/origins=] to [=storage shelf|storage shelves=]. It is initially empty.

  Note: Unlike [=storage sheds=], whose keys are [=storage keys=], [=shared storage sheds=] use [=/origins=] as keys directly. [=Shared storage=] will be intentionally excluded from [=client-side storage partitioning=].

  For each [=storage shelf=] in a [=shared storage shed=], the [=storage shelf=]'s [=bucket map=] currently has only a single key of "`default`".

  A [=user agent=]'s [=shared storage shed=] holds all <dfn>shared storage</dfn> data.

  <div algorithm>
    To <dfn>obtain a shared storage shelf</dfn>, given a [=shared storage shed=] |shed|, an [=environment settings object=] |environment|, and an [=/origin=] |origin|, run these steps:

    1. Let |allowedInOpaqueOriginContext| be false.
    1. If the result of running [=determine whether shared storage is allowed by context=] given |environment|, |origin|, and |allowedInOpaqueOriginContext| is false, then return failure.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |environment| and |origin| is false, then return failure.
    1. If |shed|[origin] does not exist, then set |shed|[origin] to the result of running [=create a shared storage shelf=] with [=storage type|type=] "`shared`".
    1. Return |shed|[|origin|].
  </div>

  <div algorithm>
    To <dfn>create a shared storage shelf</dfn>, run these steps:

    1. Let |shelf| be a new [=storage shelf=].
    1. Set |shelf|'s [=bucket map=]["`default`"] to the result of running [=create a shared storage bucket=].
    1. Return |shelf|.
  </div>

  A <dfn>shared storage bucket</dfn> is a [=storage bucket=] in one of a [=shared storage shed=]'s [=storage shelf|shelves=].

  <div algorithm>
    To <dfn>create a shared storage bucket</dfn>, run these steps:

    1. Let |endpoint| be the [=storage endpoint=] with [=storage identifier=] "`sharedStorage`".
    1. Let |bucket| be a new [=shared storage bucket=].
    1. Set |bucket|'s [=bottle map=]["`sharedStorage`"] to a new [=storage bottle=] whose [=storage bottle/quota=] is |endpoint|'s [=storage endpoint/quota=].
    1. Return |bucket|.
  </div>

  Note: Currently, a [=shared storage bucket=]'s [=bottle map=] has [=map/size=] `1`, since there is only one [=storage endpoint=] [=storage endpoint/registered=] with [=storage type|type=] "`shared`".

  <div algorithm>
    To <dfn>obtain a shared storage bottle map</dfn>, given an [=environment settings object=] |environment| and an [=/origin=] |origin|, run these steps:

    1. Let |shed| be the [=user agent=]'s [=shared storage shed=].
    1. Let |shelf| be the result of running [=obtain a shared storage shelf=] with |shed|, |environment|, and |origin|.
    1. If |shelf| is failure, then return failure.
    1. Let |bucket| be |shelf|'s [=bucket map=]["`default`"].
    1. Let |bottle| be |bucket|'s [=bottle map=]["`sharedStorage`"].
    1. Let |proxyMap| be a new [=storage proxy map=] whose [=backing map=] is |bottle|'s [=map=].
    1. [=set/Append=] |proxyMap| to |bottle|'s [=proxy map reference set=].
    1. Return |proxyMap|.
  </div>

  ## The [=Shared Storage Database=] ## {#database}

  A [=/browsing context=] has an associated <dfn>shared storage database</dfn>, which provides methods to [=shared storage database/store an entry in the database|store=], [=shared storage database/retrieve an entry from the database|retrieve=], [=shared storage database/delete an entry from the database|delete=], [=shared storage database/clear all entries in the database|clear=], and [=shared storage database/purge expired entries from the database|purge expired=] data, and additional methods as below. The data in the [=shared storage database|database=] take the form of [=shared storage database/entry|entries=].

  Each [=shared storage database=] has a <dfn for="shared storage database">shared storage database queue</dfn>, which is the result of [=start a new parallel queue|starting a new parallel queue=]. This [=shared storage database queue|queue=] is used to run each of the [=shared storage database=]'s methods when calls to them are initiated from that [=/browsing context=].

  Each <dfn for="shared storage database">entry</dfn> consists of a [=entry/key=] and a [=entry/value struct=].

  An [=shared storage database/entry=]'s <dfn for=entry>key</dfn> is a [=string=].

  [=User agents=] may specify the <dfn for=key>maximum length</dfn> of a [=entry/key=].

  Since [=entry/keys=] are used to organize and efficiently retrieve [=shared storage database/entry|entries=], [=entry/keys=] must appear at most once in any given [=shared storage database=].

  An [=shared storage database/entry=]'s <dfn for=entry>value struct</dfn> is a [=struct=] composed of [=string=] <dfn for="value struct">value</dfn> and {{DOMHighResTimeStamp}} <dfn for="value struct">last updated</dfn> (from the [=Unix Epoch=]).

  [=User agents=] may specify the <dfn for=value>maximum length</dfn> of a [=value struct/value=].

  [=User agents=] may specify a <dfn>default entry lifetime</dfn>, the default [=duration=] between when an [=shared storage database/entry=] is [=shared storage database/store an entry in the database|stored=] and when it expires. If the [=user agent=] specifies a [=default entry lifetime=], then it should have a timer periodically [=shared storage database/purge expired entries from the database=].

  ## The [=Shared Storage Database|Database=] Algorithms ## {#database-algorithms}

  <div algorithm>
    To <dfn for="shared storage database">store an entry in the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, an [=environment settings object=] |environment|, a [=entry/key=] |key|, and a [=value struct/value=] |value|, run the following steps on |queue|:

    1. Let |valueStruct| be a new [=entry/value struct=].
    1. Set |valueStruct|'s [=value struct/value=] to |value|.
    1. Let |currentTime| be the |environment|'s [=environment settings object/current wall time=].
    1. Set |valueStruct|'s [=value struct/last updated=] to |currentTime|.
    1. [=map/Set=] |databaseMap|[|key|] to |valueStruct|.
    1. If [=an exception was thrown=], then return false.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Otherwise, return true.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">retrieve an entry from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, an [=environment settings object=] |environment|, and a [=entry/key=] |key|, run the following steps on |queue|:

    1. If |databaseMap| does not [=map/contain=] |key|, return undefined.
    1. Let |valueStruct| be the result of running [=map/Get=] on |databaseMap| with |key|.
    1. If [=an exception was thrown=], then return failure.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. If the result of running [=shared storage database/determine whether an entry is expired=] with |environment| and |valueStruct| is true, return undefined.
    1. Return |valueStruct|'s [=value struct/value=].
  </div>

  <div algorithm>
    To <dfn for="shared storage database">delete an entry from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, and a [=entry/key=] |key|, run the following steps on |queue|:

    1. [=map/Remove=] |databaseMap|[|key|].
    1. If [=an exception was thrown=], then return false.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Return true.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">clear all entries in the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue| and a [=storage proxy map=] |databaseMap|, run the following steps on |queue|:

    1. Run [=map/Clear=] on |databaseMap|.
    1. If [=an exception was thrown=], then return false.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Return true.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">retrieve all entries from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue| and a [=storage proxy map=] |databaseMap|, run the following steps on |queue|:

    1. Let |values| be the result of running [=map/getting the values=] on |databaseMap|.
    1. If [=an exception was thrown=], then return failure.

          Note: Errors with [=storage proxy map=] |databaseMap|'s methods are possible depending on its implementation.
    1. Return |values|.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">count entries in the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue| and a [=storage proxy map=] |databaseMap|, run the following steps on |queue|:

    1. Let |size| be |databaseMap|'s [=map/size=].
    1. If [=an exception was thrown=], then return failure.

          Note: Errors with [=storage proxy map=] |databaseMap|'s members are possible depending on its implementation.
    1. Return |size|.
  </div>

  <div algorithm>
    To <dfn for="shared storage database">purge expired entries from the database</dfn>, given a [=shared storage database/shared storage database queue=] |queue|, a [=storage proxy map=] |databaseMap|, and an [=environment settings object=] |environment|, run the following steps on |queue|:

    1. [=map/iterate|For each=] [=entry/key=] |key| in |databaseMap|:
        1. Let |valueStruct| be the result of running [=map/Get=] on |databaseMap| with |key|.
        1. If [=an exception was thrown=], then return false.
        1. If the result of running [=shared storage database/determine whether an entry is expired=] with |environment| and |valueStruct| is true, [=map/Remove=] |databaseMap|[|key|].
        1. If [=an exception was thrown=], then return false.
    1. Return true.
  </div>

  <div algorithm>

    To <dfn for="shared storage database">determine whether an entry is expired</dfn>, given an [=environment settings object=] |environment| and a [=entry/value struct=] |valueStruct|, run the following steps:

    1. Let |lastUpdated| be |valueStruct|'s [=value struct/last updated=].
    1. Let |lifetime| be [=user agent=]'s [=default entry lifetime=].
    1. Let |expiration| be the sum of |lastUpdated| and |lifetime|.
    1. Let |currentTime| be the |environment|'s [=environment settings object/current wall time=].
    1. If |expiration| is less than or equal to |currentTime|, return true.
    1. Otherwise, return false.
  </div>


Extension to the {{Window}} interface {#window-extension}
=====================================================
Each {{Window}} object has an associated {{SharedStorage}} instance {{Window/sharedStorage}}, which is created alongside the {{Window}} if [=Shared Storage=] is enabled, with the [=Window/sharedStorage getter|getter=] below.

<xmp class='idl'>
  partial interface Window {
    [SecureContext] readonly attribute SharedStorage? sharedStorage;
  };
</xmp>

<div algorithm>
    The <dfn for="Window">{{Window/sharedStorage}} getter</dfn> steps are:

    1. If [=this=] is [=fully active=], return [=this=]'s {{Window/sharedStorage}}.
    1. Otherwise, return null.
</div>


The {{SharedStorage}} Interface {#shared-storage-interface}
==========================================================
The {{SharedStorage}} interface is exposed to {{Window}} and {{SharedStorageWorklet}}.

Methods that allow the setting and/or deleting of data are exposed to both the {{Window}} and the {{SharedStorageWorklet}}, although their implementations may vary depending on their [=environment=]. This makes it possible to modify the data in Shared Storage from multiple contexts.

Meanwhile, methods for posting operations to run inside {{SharedStorageWorkletGlobalScope}} (i.e. {{SharedStorageWorklet/selectURL()}} and {{SharedStorageWorklet/run()}}), along with the {{SharedStorage/worklet}} attribute which is used to call {{Worklet/addModule()}}, are exposed to the {{Window}} only, as these are the means by which the {{Window}} interacts with the {{SharedStorageWorklet}}.

On the other hand, methods for getting data from the [=shared storage database=] are exposed to the {{SharedStorageWorklet}} only, in order to carefully control the flow of data read from the [=shared storage database|database=].

<xmp class='idl'>
  [Exposed=(Window,SharedStorageWorklet)]
  interface SharedStorage {
    Promise<any> set(DOMString key,
                     DOMString value,
                     optional SharedStorageSetMethodOptions options = {});
    Promise<any> append(DOMString key,
                        DOMString value);
    Promise<any> delete(DOMString key);
    Promise<any> clear();

    [Exposed=Window]
    Promise<SharedStorageResponse> selectURL(DOMString name,
                                 sequence<SharedStorageUrlWithMetadata> urls,
                                 optional SharedStorageRunOperationMethodOptions options = {});

    [Exposed=Window]
    Promise<any> run(DOMString name,
                     optional SharedStorageRunOperationMethodOptions options = {});

    [Exposed=Window]
    Promise<SharedStorageWorklet> createWorklet(USVString moduleURL, optional SharedStorageWorkletOptions options = {});

    [Exposed=Window]
    readonly attribute SharedStorageWorklet worklet;

    [Exposed=SharedStorageWorklet]
    Promise<DOMString> get(DOMString key);

    [Exposed=SharedStorageWorklet]
    Promise<unsigned long> length();

    [Exposed=SharedStorageWorklet]
    Promise<double> remainingBudget();

    [Exposed=SharedStorageWorklet]
    async iterable<DOMString, DOMString>;
  };

  dictionary SharedStorageSetMethodOptions {
    boolean ignoreIfPresent = false;
  };

  dictionary SharedStoragePrivateAggregationConfig {
    USVString aggregationCoordinatorOrigin;
    USVString contextId;
    [EnforceRange] unsigned long long filteringIdMaxBytes;
  };

  dictionary SharedStorageRunOperationMethodOptions {
    object data;
    boolean resolveToConfig = false;
    boolean keepAlive = false;
    SharedStoragePrivateAggregationConfig privateAggregationConfig;
    DOMString savedQuery;
  };

  dictionary SharedStorageWorkletOptions : WorkletOptions {
    SharedStorageDataOrigin dataOrigin = "context-origin";
  };
</xmp>

## Run Operation Methods on {{SharedStorage}} ## {#run-op-shared-storage}

  <div algorithm>
    The <dfn method for="SharedStorage">selectURL(|name|, |urls|, |options|)</dfn> method steps are:

    1. Let |sharedStorage| be [=this=].
    1. Return |sharedStorage|.{{SharedStorage/worklet}}.{{SharedStorageWorklet/selectURL()|selectURL}}(|name|, |urls|, |options|).
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">run(|name|, |options|)</dfn> method steps are:

    1. Let |sharedStorage| be [=this=].
    1. Return |sharedStorage|.{{SharedStorage/worklet}}.{{SharedStorageWorklet/run()|run}}(|name|, |options|).
  </div>

## Create a new worklet via {{SharedStorage}} ## {#create-a-new-worklet-via-shared-storage}

  <div algorithm>
    The <dfn method for="SharedStorage">createWorklet(|moduleURL|, |options|)</dfn> method steps are:

    1. Let |sharedStorageWorklet| be a new {{SharedStorageWorklet}}.
    1. If |options| [=map/contains=] |dataOrigin|, set |sharedStorageWorklet|'s [=SharedStorageWorklet/data origin=] to |options|[|dataOrigin|].
    1. Let |addModulePromise| be the result of invoking sharedStorageWorklet.{{Worklet/addModule()|addModule}}(|moduleURL|, |options|).
    1. Let |resultPromise| be a new [=promise=].
    1. [=Upon fulfillment=] of |addModulePromise|, [=resolve=] |resultPromise| to |sharedStorageWorklet|.
    1. [=Upon rejection=] of |addModulePromise|, [=reject=] |resultPromise| with a {{TypeError}}.
    1. Return |resultPromise|.
  </div>

## Setter/Deleter Methods ## {#setter}

  <div algorithm>
    The <dfn method for="SharedStorage">set(|key|, |value|, |options|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |value|'s [=string/length=] exceeds the [=value/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. If |options|["`ignoreIfPresent`"] is true:
            1. Let |currentValue| be the result of running [=shared storage database/retrieve an entry from the database=] with |queue|, |databaseMap|, |environment|, and |key|.
            1. If |currentValue| is failure and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
                1. Abort these steps.
            1. If |currentValue| is not undefined:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
                1. Abort these steps.
        1. Let |result| be the result of running [=shared storage database/store an entry in the database=] with |queue|, |databaseMap|, |environment|, |key|, and |value|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">append(|key|, |value|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |value|'s [=string/length=] exceeds the [=value/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |currentValue| be the result of running [=shared storage database/retrieve an entry from the database=] with |queue|, |databaseMap|, |environment|, and |key|.
        1. If |currentValue| is failure:
            1. If |globalObject| is a {{Window}}:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
            1. Else:
                1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. If |currentValue| is not undefined:
            1. Let |list| be a new [=/list=].
            1. [=list/Append=] |currentValue| to |list|.
            1. [=list/Append=] |value| to |list|.
            1. Set |value| to the result of running [=string/concatenate=] on |list|.
        1. Let |result| be the result of running [=shared storage database/store an entry in the database=] with |queue|, |databaseMap|, |environment|, |key|, and |value|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">delete(|key|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |result| be the result of running [=shared storage database/delete an entry from the database=] with |queue|, |databaseMap|, and |key|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">clear()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. Let |globalObject| be the [=current realm=]'s [=global object=].
    1. Let |context| be null.
    1. If |globalObject| is a {{Window}}:
        1. Set |context| to |globalObject|'s [=Window/browsing context=].
    1. Else:
        1. Set |context| to |globalObject|'s [=outside settings=]'s [=target browsing context=].
        1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |environment|'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. Let |realm| be the [=current realm=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |result| be the result of running [=shared storage database/clear all entries in the database=] with |queue| and |databaseMap|.
        1. If |result| is false and if |globalObject| is a {{SharedStorageWorkletGlobalScope}}:
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
            1. Abort these steps.
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
    1. Return |promise|.
  </div>

## Getter Methods ## {#getter}

  <div algorithm>
    The <dfn method for="SharedStorage">get(|key|)</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If |key|'s [=string/length=] exceeds the [=key/maximum length=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |value| be the result of running [=shared storage database/retrieve an entry from the database=] with |queue|, |databaseMap|, |environment|, and |key|.
        1. If |value| is failure, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise, if |value| is undefined, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with undefined.
        1. Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |value|.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">length()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |numEntries| be the result of running [=shared storage database/count entries in the database=] with |queue| and |environment|.
        1. If |numEntries| is failure, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |numEntries|.
    1. Return |promise|.
  </div>

  <div algorithm>
    The <dfn method for="SharedStorage">remainingBudget()</dfn> method steps are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |allowedInOpaqueOriginContext| be false.
    1. If the result of running [=determine whether shared storage is allowed by context=] given |environment|, |realm|'s [=realm/settings object=]'s [=environment settings object/origin=], and |allowedInOpaqueOriginContext| is false, return a [=promise rejected=] with a {{TypeError}}.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |site| be the result of running [=obtain a site=] with |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. [=Assert=]: |site| is not an [=opaque origin=].
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |remainingBudget| be the result of running [=determine remaining navigation budget=] with |site|.
        1. [=Resolve=] [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |remainingBudget|.
    1. Return |promise|.
  </div>

## Iteration ## {#iteration}

Each {{SharedStorage}} [=async iterator=] instance has a [=queue=] <dfn for=SharedStorageIterator>pending entries</dfn> of [=shared storage database/entry|entries=], initially [=list/empty=].

Each {{SharedStorage}} [=async iterator=] instance also has a {{boolean}} <dfn for=SharedStorageIterator>error</dfn>, initially false.

The [=SharedStorageIterator/asynchronous iterator initialization steps=] and [=SharedStorageIterator/get the next iteration result=] algorithms defined below correspond to those referred to as the [=/asynchronous iterator initialization steps=] and [=/get the next iteration result=] algorithms in the [=Web IDL Standard=].

  <div algorithm>
    The <dfn for="SharedStorageIterator">asynchronous iterator initialization steps</dfn> for a {{SharedStorage}} [=async iterator=] |iterator| are:

    1. Let |promise| be a new [=promise=].
    1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for {{SharedStorage}}'s associated {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
    1. Let |context| be {{SharedStorage}}'s {{SharedStorageWorkletGlobalScope}}'s [=outside settings=]'s [=target browsing context=].
    1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
    1. If |context|'s [=active window=]'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
    1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
    1. Let |realm| be the [=current realm=].
    1. Let |databaseMap| be the result of running [=obtain a shared storage bottle map=] given |environment| and |realm|'s [=realm/settings object=]'s [=environment settings object/origin=].
    1. If |databaseMap| is failure, then return a [=promise rejected=] with a {{TypeError}}.
    1. Let |queue| be |context|'s associated [=shared storage database|database=]'s [=shared storage database/shared storage database queue=].
    1. [=Enqueue the following steps=] on |queue|:
        1. Let |entries| be the result of running [=shared storage database/retrieve all entries from the database=] with |queue| and |environment|.
        1. If |entries| is failure, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=reject=] |promise| with a {{TypeError}}.
        1. Otherwise, [=queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |entries|.
    1. [=Upon fulfillment=] of |promise|, run the following:
        1. Let |promiseEntries| be the value of |promise|.
        1. [=map/iterate|For each=] [=shared storage database/entry=] |entry| in |promiseEntries|, [=queue/enqueue=] |entry| in |iterator|'s [=SharedStorageIterator/pending entries=].
    1. [=Upon rejection=] of |promise|, set |iterator|'s [=SharedStorageIterator/error=] to true.
  </div>

  <div algorithm>
    To<dfn for="SharedStorageIterator">get the next iteration result</dfn>, given a {{SharedStorage}}'s [=async iterator=] |iterator|, run the following steps:

    1. Let |promise| be a new [=promise=].
    1. [=Enqueue the following steps=]:
        1. If |iterator|'s [=SharedStorageIterator/error=] is true, return a [=promise rejected=] with a {{TypeError}}.
        1. If |iterator|'s [=SharedStorageIterator/pending entries=] is [=list/empty=]:
            1. Create an object |doneObject|.
            1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |doneObject|.
            1. Abort these steps.
        1. Otherwise, let |entry| be the result of [=queue/dequeue|dequeueing=] from |iterator|'s [=SharedStorageIterator/pending entries=].
        1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |entry|.
    1. Return |promise|.
  </div>

Triggering Operations Via HTTP Response Header {#http}
======================================================

While setter and deleter operations (e.g.. {{SharedStorage/set()}}, {{SharedStorage/append()}}, {{SharedStorage/delete()}}, {{SharedStorage/clear()}}) can be initiated via the above APIs for {{Window}} or {{SharedStorageWorkletGlobalScope}}, setter/deleter operations can alternatively be triggered via HTTP [=/response=] [=header=].

This will require monkey patches to the HTML and Fetch specifications.

# HTML Monkey Patches # {#html-monkeypatches}

## {{HTMLSharedStorageWritableElementUtils/sharedStorageWritable}} & <{iframe/sharedstoragewritable}> Attributes ## {#html-attr}

Define the following [=interface mixin=] and include it in the IDL [=interfaces=] for {{HTMLIFrameElement}} and {{HTMLImageElement}}:

<xmp class='idl'>
  interface mixin HTMLSharedStorageWritableElementUtils {
    [CEReactions, SecureContext] attribute boolean sharedStorageWritable;
  };

  HTMLIFrameElement includes HTMLSharedStorageWritableElementUtils;
  HTMLImageElement includes HTMLSharedStorageWritableElementUtils;
</xmp>

Add the following [=boolean attributes|boolean content attributes=]:

: <{iframe}>
:: <dfn for="iframe" element-attr>sharedstoragewritable</dfn>
: <{img}>
:: <dfn for="img" element-attr>sharedstoragewritable</dfn>

The IDL attribute {{HTMLSharedStorageWritableElementUtils/sharedStorageWritable}} must [=reflect=] the respective [=content attribute=] of the same name.

## HTML Algorithm Modifications ## {#html-algo}

### Modification to [=Update the image data=] Algorithm ### {#mod-update-img}

  <div algorithm="modification-to-update-the-image-data">
    Modify [=update the image data=] as follows:

    After the step

    > Set |request|'s [=request/priority=] to the current state...

    add the step

    1. If the element has the <{img/sharedstoragewritable}> attribute present, set |request|'s [=request/shared storage writable=] to true.
  </div>

### Modification to [=Create navigation params by fetching=] Algorithm ### {#mod-create-nav}

  <div algorithm="modification-to-create-navigation-params-by-fetching">
    Modify [=create navigation params by fetching=] as follows:

    After the step

    > Let |request| be a new [=Request/request=], with ...

    add the step

    1. If <var ignore=''>navigable</var>'s [=container=] is an <{iframe}> element, and if it has a <{iframe/sharedstoragewritable}> [=content attribute=], then set |request|'s [=request/shared storage writable=] to true.
  </div>

# Fetch Monkey Patches # {#fetch-monkeypatches}

## {{RequestInit/sharedStorageWritable}} Key ## {#fetch-attr}

  A [=/request=] has an associated [=/boolean=] <dfn for=request>shared storage writable</dfn>. Unless stated otherwise it is false.

  The {{RequestInit}} dictionary contains a {{RequestInit/sharedStorageWritable}} key:

<xmp class='idl'>
  partial dictionary RequestInit {
    boolean sharedStorageWritable;
  };
</xmp>

## Fetch Algorithm Modifications ## {#mod-fetch-algo}

### Modification to the [=request-constructor|Request Constructor=] Algorithm ### {#mod-request-con}

  <div algorithm="modification-to-request-constructor">
    Modify the [=request-constructor|new Request(input, init) constructor=] as follows:

    Before the step

    > Set this's [=Request/request=] to |request|.

    add the step

    1. If <var ignore=''>init</var>["{{RequestInit/sharedStorageWritable}}"] [=map/exists=], then set |request|'s [=request/shared storage writable=] to it.
  </div>

### Modification to [=HTTP network or cache fetch=] Algorithm ### {#mod-http-net-fetch}

  <div algorithm="modification-to-http-network-or-cache-fetch">
    Modify the [=HTTP network or cache fetch=] algorithm as follows:

    Before the step

    > Modify |httpRequest|'s [=request/header list=] per HTTP. ...

    add the step

    1. [=Append or modify a Sec-Shared-Storage-Writable request header=] for |httpRequest|.
  </div>

### Modification to [=HTTP fetch=] Algorithm ### {#mod-http-fetch}

  <div algorithm="modification-to-http-fetch">
    Modify the [=HTTP fetch=] algorithm as follows:

    Before the step

    > If |internalResponse|'s [=response/status=] is a [=redirect status=]: ...

    add the steps

    1. If |request|'s [=request/destination=] is "sharedstorageworklet":
        1. Let |dataOriginValue| be the result of [=header list/getting=] [:Sec-Shared-Storage-Data-Origin:] from |request|'s [=request/header list=].
        1. If |dataOriginValue| is not null, then:
            1. Let |dataOriginUrl| be the result of running a [=URL parser=] on |dataOriginValue|.
            1. [=Assert=] that |dataOriginUrl| is not failure.
            1. [=Assert=] that |request|'s [=request/origin=] is not "<code>client</code>".
            1. [=Assert=] that |request|'s [=request/origin=] and |request|'s [=request/URL=]'s [=url/origin=] are not [=same origin=].
            1. [=Assert=] that |dataOriginUrl|'s [=url/origin=] and |request|'s [=request/URL=]'s [=url/origin=] are [=same origin=].
            1. Let |responseHeaders| be |internalResponse|'s [=response/header list=].
            1. Let |allowed| be the result of running [=get a structured field value=] algorithm given [:Shared-Storage-Cross-Origin-Worklet-Allowed:], "item", and |responseHeaders| as input.
            1. If |allowed| is false, then return a [=network error=].
    1. [=Handle a Shared-Storage-Write response=], given [=/response=] |internalResponse| and [=/request=] <var ignore=''>request</var> as input.
  </div>

## Shared Storage HTTP Headers ## {#headers}

### [:Sec-Shared-Storage-Data-Origin:] Request Header ### {#data-origin-request-header}

  This specification defines a <dfn http-header>Sec-Shared-Storage-Data-Origin</dfn> HTTP [=/request=] [=header=].

  The [:Sec-Shared-Storage-Data-Origin:] [=/request=] [=header=] whose [=header/value=] is a [=string=].

  When the [:Sec-Shared-Storage-Data-Origin:] is sent during the [fetch a worklet/module worker script graph](#fetch-a-worklet-script-graph-monkey-patch) algorithm, its [=header/value=] is set to the serialized [=url/origin=] that owns the worklet's shared storage data.

### [:Shared-Storage-Cross-Origin-Worklet-Allowed:] Response Header ### {#cross-origin-response-header}

  This specification defines a <dfn http-header>Shared-Storage-Cross-Origin-Worklet-Allowed</dfn> HTTP [=/response=] [=header=].

  The [:Shared-Storage-Cross-Origin-Worklet-Allowed:] [=/response=] [=header=] is a [=Structured Header=] whose value must be a [=structured header/Boolean=].

  When a [=/response=] has [:Shared-Storage-Cross-Origin-Worklet-Allowed:] with value true, the worklet script's server has given permission for a cross-origin site to create a worklet using shared storage data from the worklet script's [=url/origin=].

### [:Sec-Shared-Storage-Writable:] Request Header ### {#writable-request-header}

  This specification defines a <dfn http-header>Sec-Shared-Storage-Writable</dfn> HTTP [=/request=] [=header=].

  The [:Sec-Shared-Storage-Writable:] [=/request=] [=header=] is a [=Structured Header=] whose value must be a [=structured header/Boolean=].

  When a [=/request=] sets [:Sec-Shared-Storage-Writable:] to true its [=/response=] will be able to write to [=shared storage=].

### [:Shared-Storage-Write:] Response Header ### {#write-response-header}

  This specification defines a <dfn http-header>Shared-Storage-Write</dfn> HTTP [=/response=] [=header=].

  The [:Shared-Storage-Write:] [=/response=] [=header=] is a [=Structured Header=] whose value must be a [=structured header/List=]. The following list members are defined. [=structured header/Tokens=] and [=structured header/Strings=] holding the same sequence of characters are considered equivalent. [=structured header/Byte Sequences=] representing [=UTF-8 encoded=] bytes are also allowed, in order to provide functionality for writing and deleting non-[=ASCII=] [=Unicode=] keys and values via HTTP headers.

  Unknown list members, including types that are neither strings nor [=structured header/Byte Sequences=], are skipped, and the rest of the list is processed as if they weren't present. Members are also skipped if they're missing required [=structured header/parameters=] or those parameters have unexpected types.

    * `set`
        - Required [=structured header/parameters=]:
            * `key` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
            * `value` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
        - Optional [=structured header/parameters|parameter=]:
            * `ignore_if_present` ([=structured header/Boolean=])
        - If the [=structured header/parameter=] value of `ignore_if_present` is null or false, or if the [=structured header/parameter=] value of `key` does not already exist in the [=shared storage database=] for the responding server's [=/origin=], `set` writes the [=shared storage database/entry=] consisting of the [=structured header/parameter=] values for `key` and `value`, as the [=shared storage database/entry=]'s [=entry/key=] and [=shared storage database/entry=]'s [=entry/value struct=]'s [=value struct/value=] respectively, in the [=shared storage database=] for the responding server's [=/origin=].
        - If the [=structured header/parameter=] value of `ignore_if_present` is true and the [=structured header/parameter=] value of `key` already exists in the [=shared storage database=] for the responding server's [=/origin=], then `set` is a no-op.
    * `append`
        - Required [=structured header/parameters=]:
            * `key` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
            * `value` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
        - If the [=structured header/parameter=] value of `key` already exists in the [=shared storage database=] for the responding server's [=/origin=], then `append` updates the [=entry/key=]'s [=shared storage database/entry=]'s [=entry/value struct=]'s [=value struct/value=] by appending the [=structured header/parameter=] value for `value` to it.
        - If the [=structured header/parameter=] value of `key` does not already exist in the [=shared storage database=] for the responding server's [=/origin=], `append` is equivalent to `set` with `ignore_if_present` false, i.e. `append` writes the [=shared storage database/entry=] consisting of the [=structured header/parameter=] values for `key` and `value`, as the [=shared storage database/entry=]'s [=entry/key=] and [=shared storage database/entry=]'s [=entry/value struct=]'s [=value struct/value=] respectively, in the [=shared storage database=] for the responding server's [=/origin=].
    * `delete`
        - Required [=structured header/parameters|parameter=]:
            * `key` ([=structured header/Token=], [=structured header/String=], or [=structured header/Byte Sequence=])
        - `delete` erases any [=shared storage database/entry=] in the [=shared storage database=] for the responding server's [=/origin=] for which the [=entry/key=] is equal to the [=structured header/parameter=] value of `key`.
    * `clear`
        - `clear` erases all [=shared storage database/entries=] in the [=shared storage database=] for the responding server's [=/origin=].

    Note: We allow [=structured header/Byte Sequences=] in order to accommodate Unicode keys and values. Any [=structured header/Byte Sequence=] will be assumed to be [=UTF-8 encoded=] and will fail to parse otherwise.

<span class=todo>Add examples.</span>

## Shared Storage Fetch-Related Algorithms ## {#ss-fetch-algo}

  <div algorithm>
    To <dfn>determine whether a request can currently use shared storage</dfn>, given a [=/request=] |request|, perform the following steps:

    1. Let |window| to |request|'s [=request/window=].
    1. If |window| is not an [=environment settings object=] whose [=global object=] is a {{Window}}, return false.
    1. Let |allowedInOpaqueOriginContext| be true.
    1. If the result of running [=determine whether shared storage is allowed by context=] given |window|, |request|'s [=request/current URL=]'s [=url/origin=], and |allowedInOpaqueOriginContext| is false, return false.
    1. If the result of running [=check if user preference setting allows access to shared storage=] given |window| and |request|'s [=request/current URL=]'s [=url/origin=] is false, return false.

    Issue: The [=determine whether a request can currently use shared storage=] algorithm needs to take into account "opt-in features", as articulated in <a href="https://github.com/w3c/webappsec-permissions-policy/pull/499">https://github.com/w3c/webappsec-permissions-policy/pull/499</a>.
  </div>

  <div algorithm>
    To <dfn>append or modify a Sec-Shared-Storage-Writable request header</dfn>, given a [=/request=] |request|, perform the following steps:

    1. If |request|'s [=request/shared storage writable=] is not true, then return.

        Note: On a redirect, it is possible for |request|'s [=request/shared storage writable=] to be true, but for the redirect not to have permission to use shared storage, making the result of running [=determine whether a request can currently use shared storage=] on |request| false.

    1. If the result of running [=determine whether a request can currently use shared storage=] on |request| is false, [=header list/delete=] [:Sec-Shared-Storage-Writable:] from |request|'s [=request/header list=].
    1. Otherwise, [=header list/set a structured field value=] ([:Sec-Shared-Storage-Writable:], true) in |request|'s [=request/header list=].
  </div>

  <div algorithm>
    To <dfn>handle a Shared-Storage-Write response</dfn>, given a [=/response=] |response| and a [=/request=] |request|, perform the following steps:

    1. Let |sharedStorageWritable| the result of running [=get a structured field value=] algorithm given [:Sec-Shared-Storage-Writable:], "`item`", and |request|'s [=request/header list=] as input.
    1. If |sharedStorageWritable| is null, or |sharedStorageWritable| is not a [=structured header/Boolean=], or the value of |sharedStorageWritable| is false, return.
    1. Let |window| to |request|'s [=request/window=].
    1. [=Assert=]: |window| is an [=environment settings object=] whose [=global object=] is a {{Window}}.
    1. Let |sharedStorage| be |window|'s [=global object=]'s {{Window/sharedStorage}}.
    1. If |sharedStorage| is null, then return.
    1. Let |list| be |response|'s [=response/header list=].
    1. Let |operationsToParse| be the result of running [=get a structured field value=] algorithm given [:Shared-Storage-Write:], "`list`", and |list| as input.
    1. If |operationsToParse| is null or [=list/empty=], then return.
    1. For each tuple (|item|, |parameters|) in |operationsToParse|, perform the following steps:
        1. If |item| is an [=structured header/Inner List=], continue.
        1. [=Assert=]: |item| is an [=structured header/Bare Item=].
        1. Let |operationString| be the result of running [=get the string value=] for |item|.
        1. If |operationString| is failure, continue.
        1. Switch on |operationString|:
            <dl class=switch>
              <dt> If |operationString| is "`clear`":
                 <dd> Perform the following steps:
                     1. Run |sharedStorage|.{{SharedStorage/clear()|clear}}().
                     1. Continue.
              <dt> If |operationString| is "`delete`":
                <dd> Perform the following steps:
                     1. Let |key| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`key`".
                     1. If |key| is not null, run |sharedStorage|.{{SharedStorage/delete()|delete}}(|key|).
                     1. Continue.
              <dt> If |operationString| is "`append`":
                <dd> Perform the following steps:
                     1. Let |key| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`key`".
                     1. If |key| is null, continue.
                     1. Let |value| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`value`".
                     1. If |value| is not null, run |sharedStorage|.{{SharedStorage/append()|append}}(|key|, |value|).
                     1. Continue.
              <dt> If |operationString| is "`set`":
                <dd> Perform the following steps:
                     1. Let |key| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`key`".
                     1. If |key| is null, continue.
                     1. Let |value| be the result of running [=obtain a string-like parameter value=] with |parameters| and "`value`".
                     1. If |value| is null, continue.
                     1. Let |options| be a new {{SharedStorageSetMethodOptions}}.
                     1. If the result of running [=obtain a boolean parameter value=] with |parameters| and "`ignore_if_present`" is true, [=map/set=] |options|["`ignoreIfPresent`"] to true.
                     1. Run |sharedStorage|.{{SharedStorage/set()|set}}(|key|, |value|, |options|).
                     1. Continue.
              <dt> If |operationString| is anything else:
                <dd> Continue.
            </dl>
  </div>

  <div algorithm>
    To <dfn>check if string-like</dfn> for a [=structured header/Bare Item=] |item|, do the following:
    1. If the |item| is a [=structured header/String=], [=structured header/Token=], or [=structured header/Byte Sequence=], return true.
    1. Otherwise, return false.
  </div>

  <div algorithm>
    To <dfn>get the string value</dfn> for a [=structured header/Bare Item=] |item|, do the following:
    1. If the result of running [=check if string-like=] on |item| is false, return failure.
    1. Switch on the type of |item|:
        <dl class=switch>
          <dt> If |item| is a [=structured header/Token=]:
          <dt> If |item| is a [=structured header/String=]:
            <dd> Perform the following steps:
                1. [=Assert=]: |item| is an [=ASCII string=].
                1. Return |item|.
          <dt> If |item| is a [=structured header/Byte Sequence=]:
            <dd> Perform the following steps:
                1. Let |fromUTF8| be the result of running [=UTF-8 decode=] on |item|.
                1. If |fromUTF8| is an error, return null.
                1. Return |fromUTF8|.
        </dl>
  </div>

  <div algorithm>
    To <dfn>obtain a string-like parameter value</dfn>, given a [=structured header/parameters|parameters map=] |parameters| and a [=structured header/Token=] |paramKey|, perform the following steps:
    1. If |parameters| does not [=map/contain=] |paramKey|, return null.
    1. If the result of [=check if string-like=] for |parameters|[|paramKey|] is false, return null.
    1. Return the result of running [=get the string value=] for |parameters|[|paramKey|].
  </div>

    <div algorithm>
    To <dfn>obtain a boolean parameter value</dfn>, given a [=structured header/parameters|parameters map=] |parameters| and a [=structured header/Token=] |paramKey|, perform the following steps:
    1. If |parameters| does not [=map/contain=] |paramKey|, return null.
    1. If |parameters|[|paramKey|] is not a [=structured header/Boolean=], return null.
    1. Return |parameters|[|paramKey|].
  </div>

Permissions Policy Integration {#permission}
============================================

This specification defines a [=policy-controlled feature=] identified by the string "<dfn for="PermissionsPolicy">shared-storage</dfn>," along with a second [=policy-controlled feature=] identified by "<dfn for="PermissionsPolicy">shared-storage-select-url</dfn>".

"[=PermissionsPolicy/shared-storage=]" gates access to Shared Storage in general, whereas "[=shared-storage-select-url=]" adds an exra permission layer to {{SharedStorageWorklet/selectURL()}}. For each of these, the default allowlist is *.

Clear Site Data Integration {#clear}
====================================
<span class=todo>Add details for Clear Site Data integration.</span>

Privacy Considerations {#privacy}
=================================

  The Shared Storage API attempts to provide the ability to use cross-site data for a range of use cases in a way that better protects user privacy than the use of third-party cookies. Shared Storage's main privacy safeguard is that read access of the data stored in its storage may only occur within an embedder's {{SharedStorageWorklet}}. Well-defined limits restrict output of data from the {{SharedStorageWorklet}} to a minimum.

  In particular, an embedder can select a [=/URL=] from a short list of [=/URL=]s based on data in their shared storage and then display the result in a [=fenced frame=]. The embedder will not be able to know which [=/URL=] was chosen except through specifc mechanisms that will be better-mitigated in the longer term. Currently, a few bits of entropy can leak each time that the user clicks on the [=fenced frame=] to initiate a [=top-level traversable=] [=navigate|navigation=] and/or the [=fenced frame=] calls the {{reportEvent()}} API.

  An embedder is also able to send aggregatable reports via the [=Private Aggregation=] API, which adds noise in order to achieve differential privacy, uses a time delay to send reports, imposes limits on the number of reports sent, and processes the reports into aggregate data so that individual privacy is protected.