Re: [w3ctag/design-reviews] "credentialless" embedder policy. (#582) from Arthur Sonzogni on 2021-02-09 (public-webapps-github@w3.org from February 2021)

From: Arthur Sonzogni <notifications@github.com>
Date: Mon, 08 Feb 2021 16:02:11 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/582/775547404@github.com>

> I think a problem with Option 2.a is that this would allow you to force same-origin credentialed resources loaded by the iframe into the embedder's process.

Oops. That's totally right! We can exclude 2.a. I assumed OOPIF support, which is not the case yet for every web browser. I was wondering what was the relationship in between COEP and reverse XFO since the beginning. Thanks for this clarification!

By the way, I can totally see website allowing being embedded cross-origin (youtube iframe), but not willing to share a process with a parent able to exploit them with Spectre (crossOriginIsolated). An explicit opt-in with XFO (2.a) might be a signal the website "agreed" about dealing with all the bad consequences of being embedded. However, I am afraid most didn't have cross-origin Spectre attacks in mind when they were created.

We should think a bit more about what option 3 might look like.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/582#issuecomment-775547404

Received on Tuesday, 9 February 2021 00:02:24 UTC