Storage-partition test · merchant cell

This page plays a merchant site embedding the key-holder iframe (the "prove.com" stand-in, hosted on the POC Connector). The key ID the iframe reports identifies which storage bucket this embedding context sees.

What this cell reports

top-level origin top-level site (eTLD+1) expected partition
key reported by iframewaiting for iframe… bucket status visits in this bucket

The key-holder iframe (live)

Test matrix — open each cell, compare key IDs

Measured 2026-07-07 — Chrome: 1 ≡ 2 ≠ 3 ≠ 4 (same top-level site → same partition across subdomains; cross-site isolated; first-party separate). Measured — Safari: 1 ≠ 2 ≠ 3 ≠ 4 — stricter than the documented site-keyed model: no subdomain sharing at all, and third-party storage is also ephemeral (quit Safari and revisit → cells 1–3 mint new keys; only cell 4's may survive, and only if visited within 7 days of interaction). Firefox: expected to match Chrome — pending.
  1. Subdomain sharing: open cells 1 and 2 — matching IDs proves one iframe key covers all of a merchant's subdomains.
  2. Cross-merchant isolation: open cell 3 — a different ID proves the cross-merchant fallback is partitioned away.
  3. First-party baseline: open cell 4 (key holder top-level) — its ID is the unpartitioned bucket.
  4. Chrome SAA: after visiting cell 4 and clicking anywhere on it, come back here and press the SAA button inside the iframe — if granted, the unpartitioned ID it prints should match cell 4's.
  5. Safari ephemerality: note the IDs, quit Safari fully, reopen — cells 1–3 will have minted fresh IDs.