Access to the Private State Token API is gated by Permissions Policy features. We proposed to update the default allowlist for both `private-state-token-issuance` and `private-state-token-redemption` features from self to * (wildcard).
The Private State Tokens API has received recurring feedback from developers that the current requirement to have first-party sites opt-in to allow third-parties to invoke token issuance and redemption operations is not practical. This is especially true for use cases where embeds don’t have first-party script access to either execute the operations directly in first-party context, or to enable the permission policies on the relevant frames. Current default requires every site to update permission policy for iframes that embed invalid traffic (IVT) detection scripts.Since scale and coverage are of essence for IVT detection that rely on identifying outlier patterns; the need for coordination with first-parties places a high cost for successful adoption.