mdn
Editorial review: Add docs for private state token API
Description
Chrome 117 added support for the Private State Token API. See https://chromestatus.com/feature/5078049450098688.
This PR adds docs for the API, including WebAPI, HTML, and HTTP features.
Note that some features don't have spec_urls set for their compat data, so their Specification sections say they don't appear to be defined in a specification. I'll fix that in a follow-up PR. UPDATE: ignore this; the data is now showing up fine.
Motivation
Additional details
Related issues and pull requests
Preview URLs (21 pages)
/en-US/docs/Web/API/Document/hasPrivateToken/en-US/docs/Web/API/Document/hasRedemptionRecord/en-US/docs/Web/API/Document/en-US/docs/Web/API/HTMLIFrameElement/privateToken/en-US/docs/Web/API/HTMLIFrameElement/en-US/docs/Web/API/Private_State_Token_API/Using/en-US/docs/Web/API/Private_State_Token_API/en-US/docs/Web/API/Request/Request/en-US/docs/Web/API/RequestInit/en-US/docs/Web/API/Window/fetch/en-US/docs/Web/API/XMLHttpRequest/setPrivateToken/en-US/docs/Web/API/XMLHttpRequest/en-US/docs/Web/HTML/Reference/Elements/iframe/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/private-state-token-issuance/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/private-state-token-redemption/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Token-Crypto-Version/en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Token-Lifetime/en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Token/en-US/docs/Web/HTTP/Reference/Headers/Sec-Redemption-Record/en-US/docs/Web/Privacy/Guides/Privacy_sandbox
Flaws (12)
Note! 17 documents with no flaws that don't need to be listed. 🎉
URL: /en-US/docs/Web/API/HTMLIFrameElement
Title: HTMLIFrameElement
Flaw count: 6
- macros:
Macro domxref produces link /en-US/docs/Web/API/HTMLIFrameElement/align which doesn't resolveMacro domxref produces link /en-US/docs/Web/API/HTMLIFrameElement/frameBorder which doesn't resolveMacro domxref produces link /en-US/docs/Web/API/HTMLIFrameElement/longDesc which doesn't resolveMacro domxref produces link /en-US/docs/Web/API/HTMLIFrameElement/marginHeight which doesn't resolveMacro domxref produces link /en-US/docs/Web/API/HTMLIFrameElement/marginWidth which doesn't resolve- and 1 more flaws omitted
URL: /en-US/docs/Web/API/Private_State_Token_API/Using
Title: Using the Private State Token API
Flaw count: 2
- macros:
Macro domxref produces link /en-US/docs/Web/API/fetch which is a redirectMacro domxref produces link /en-US/docs/Web/API/fetch which is a redirect
URL: /en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Token
Title: Sec-Private-State-Token header
Flaw count: 3
- unknown:
No generic content config foundno blog rootno blog root
URL: /en-US/docs/Web/HTTP/Reference/Headers/Sec-Redemption-Record
Title: Sec-Redemption-Record header
Flaw count: 1
- macros:
Macro httpheader produces link /en-US/docs/Web/HTTP/Reference/Headers/Sec-Private-State-Crypto-Version which doesn't resolve
External URLs (15)
URL: /en-US/docs/Web/API/Private_State_Token_API
Title: Private State Token API
- https://en.wikipedia.org/wiki/CAPTCHA (1 time) (Note! This may be a new URL 👀)
- https://privacypass.github.io/ (1 time) (Note! This may be a new URL 👀)
- https://privatetokens.dev/ (1 time) (Note! This may be a new URL 👀)
URL: /en-US/docs/Web/API/Private_State_Token_API/Using
Title: Using the Private State Token API
- https://boringssl.googlesource.com/boringssl/ (1 time) (Note! This may be a new URL 👀)
- https://en.wikipedia.org/wiki/CAPTCHA (1 time) (Note! This may be a new URL 👀)
- https://github.com/GoogleChrome/private-tokens (1 time) (Note! This may be a new URL 👀)
- https://github.com/GoogleChrome/private-tokens/blob/main/PST-Registration.md (1 time) (Note! This may be a new URL 👀)
- https://github.com/GoogleChrome/private-tokens/issues/new (1 time) (Note! This may be a new URL 👀)
- https://github.com/GoogleChromeLabs/private-state-token-demo/ (1 time) (Note! This may be a new URL 👀)
- https://github.com/GoogleChromeLabs/private-state-token-demo/blob/bf173919620f2b8203a628c3a1094c8846e6aff1/src/index.js (3 times) (Note! This may be a new URL 👀)
- https://github.com/GoogleChromeLabs/private-state-token-demo/blob/main/src/index.js (2 times) (Note! This may be a new URL 👀)
- https://github.com/GoogleChromeLabs/private-state-token-demo/tree/main?tab=readme-ov-file (2 times) (Note! This may be a new URL 👀)
- https://privacypass.github.io/ (1 time) (Note! This may be a new URL 👀)
- https://privatetokens.dev/ (1 time) (Note! This may be a new URL 👀)
- https://web.dev/articles/same-site-same-origin (1 time) (Note! This may be a new URL 👀)
(comment last updated: 2025-12-15 17:35:22)
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@chrisdavidmills Removing my review - I'm on last day before holiday so I'd just be blocking you.
@hamishwillee @bsmth this one is ready for editorial review now. Quite a few files, but most of them are small. This one is a bit less complex than some of the other privacy sandbox-related APIs.
For the permissions policy directives, want to mention what * means? Something like:
The default allowlist for
private-state-token-issuanceis*(wildcard matching all origins).
For the permissions policy directives, want to mention what
*means? Something like:The default allowlist for
private-state-token-issuanceis*(wildcard matching all origins).
Nah, I think this is OK as-is. It says clearly what * means on the main Permissions-Policy reference page, and on the Permission Policy guide.
I assume you don't also need my review?
@hamishwillee Nah, I think we're good, thanks mate.