WICG · pythagoraskitty · Aug 29, 2023 · Aug 23, 2023 · Aug 23, 2023 · Aug 29, 2023
diff --git a/spec.bs b/spec.bs
@@ -150,6 +150,9 @@ spec: html; urlPrefix: https://en.wikipedia.org/wiki/Entropy_(information_theory
     type: dfn
         text: bits of entropy
         text: entropy bits
+spec: html; urlPrefix: https://github.com/privacysandbox/attestation
+    type: dfn
+        text: enrolled
 </pre>
 
 <style>
@@ -236,11 +239,27 @@ Because adding multiple [=module scripts=] via {{Worklet/addModule()}} for the s
 
 When {{Worklet/addModule()}} is called for a worklet, it will run [=check if addModule allowed and update status=], and if the result is false, abort the remaining steps in the {{Worklet/addModule()}} call, as detailed in the [[#worklet-monkey-patch]].
 
+  <div algorithm>
+    To <dfn>check if user preference setting allows access to shared storage</dfn> from an [=environment settings object=] |environment|, run the following step:
+    1. Using values available in |environment| as needed, use an [=implementation-defined=] algorithm to return either true or false.
+  </div>
+
+  <div algorithm>
+    To <dfn>determine whether shared storage is allowed</dfn>, given an [=environment settings object=] |environment|, run these steps:
+
+    1. If |environment| is not a [=secure context=], then return false.
+    1. Let |origin| be |environment|'s [=url/origin=].
+    1. If |origin| is an [=opaque origin=], then return false.
+    1. If the result of running [=obtaining a site|obtain a site=] with |origin| is not [=enrolled=], then return false.
+    1. If the result of running [=check if user preference setting allows access to shared storage=] from |environment| is false, then return false.
+    1. Return true.
+  </div>
+
   <div algorithm>
     To <dfn>check if addModule allowed and update status</dfn> for a {{SharedStorageWorklet}} |worklet|, run the following steps:
-    1. If the user preference setting disallows the access to [=shared storage=] from [=this=], return false.
+    1. If the result of running [=determine whether shared storage is allowed=] on the [=relevant settings object=] of [=this=] is false, return false.
     1. If |worklet|'s [=addModule initiated=] is true, return false.
-    1. Set {{Worklet}}'s [=addModule initiated=] to true.
+    1. Set |worklet|'s [=addModule initiated=] to true.
     1. Return true.
   </div>
 
@@ -374,9 +393,8 @@ The Shared Storage API will integrate into the [=Storage Model|Storage API=] as
   <div algorithm>
     To <dfn>obtain a shared storage shelf</dfn>, given a [=shared storage shed=] |shed| and an [=environment settings object=] |environment|, run these steps:
 
+    1. If the result of running [=determine whether shared storage is allowed=] on |environment| is false, then return failure.
     1. Let |origin| be |environment|'s [=url/origin=].
-    1. If |origin| is an [=opaque origin=], then return failure.
-    1. If the user preference setting disallows the access to [=shared storage=] from |environment|, then return failure.
     1. If |shed|[origin] does not exist, then set |shed|[origin] to the result of running [=create a shared storage shelf=] with [=storage type|type=] "`shared`".
     1. Return |shed|[|origin|].
   </div>
@@ -865,7 +883,7 @@ On the other hand, methods for getting data from the [=shared storage database=]
     1. If the result of running [=SharedStorageWorkletGlobalScope/check whether addModule is finished=] for |worklet|'s {{SharedStorageWorkletGlobalScope}} is false, return a [=promise rejected=] with a {{TypeError}}.
     1. Let |realm| be the [=current realm=].
     1. Let |outsideSettings| be {{WindowSharedStorage/worklet}}'s [=relevant settings object=].
-    1. If the user preference setting disallows the access to [=shared storage=] from |outsideSettings|, return a [=promise rejected=] with a {{TypeError}}.
+    1. If the result of running [=determine whether shared storage is allowed=] on |outsideSettings| is false, return a [=promise rejected=] with a {{TypeError}}.
     1. Let |agent| be the result of [=obtaining a worklet agent=] given |outsideSettings|.
     1. Run the following steps in |agent|:
         1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to resolve |promise| with undefined.
@@ -925,7 +943,7 @@ On the other hand, methods for getting data from the [=shared storage database=]
     1. If |context| is null, return a [=promise rejected=] with a {{TypeError}}.
     1. Let |environment| be |context|'s [=active window=]'s [=relevant settings object=].
     1. If |environment|'s [=associated document=] is not [=fully active=], return a [=promise rejected=] with a {{TypeError}}.
-    1. If the user preference setting disallows the access to [=shared storage=] from |environment|, return a [=promise rejected=] with a {{TypeError}}.
+    1. If the result of running [=determine whether shared storage is allowed=] on |environment| is false, return a [=promise rejected=] with a {{TypeError}}.
     1. Let |worklet| be {{WindowSharedStorage}}'s {{WindowSharedStorage/worklet}}.
     1. If |worklet|'s [=global scopes|list of global scopes=] is [=list/empty=], then return a [=promise rejected=] with a {{TypeError}}.
     1. [=Assert=] that |worklet|'s [=global scopes|list of global scopes=] [=list/contains=] a single {{SharedStorageWorkletGlobalScope}}.