From 768483da4f0cf156f1515cd1e69fdbb1f3280e38 Mon Sep 17 00:00:00 2001
From: Mark Dumay <61946753+markdumay@users.noreply.github.com>
Date: Tue, 24 Feb 2026 15:49:51 +0100
Subject: [PATCH] fix: enable Storage Access API in preview iframe

Adds allow="storage-access" and allow-storage-access-by-user-activation
to the preview iframe so that embedded sites can persist cookie consent
via the Storage Access API. Without these attributes, browsers reject
requestStorageAccess() calls inside sandboxed cross-origin iframes,
causing consent banners to reappear on every load.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 layouts/partials/assets/preview.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/layouts/partials/assets/preview.html b/layouts/partials/assets/preview.html
index 9888604..a654228 100644
--- a/layouts/partials/assets/preview.html
+++ b/layouts/partials/assets/preview.html
@@ -75,7 +75,8 @@
                         class="preview-iframe preview-{{ $device }}"
                         title="{{ or $args.heading.title (printf "Preview of %s" $args.url) }}"
                         loading="lazy"
-                        sandbox="allow-scripts allow-same-origin allow-forms allow-popups"
+                        allow="storage-access"
+                        sandbox="allow-scripts allow-same-origin allow-forms allow-popups allow-storage-access-by-user-activation"
                         referrerpolicy="no-referrer-when-downgrade">
                 </iframe>
                 <div class="preview-error" style="display: none;">