[w3ctag/design-reviews] Specification review for fenced frames (Issue #838) from Dominic Farolino on 2023-04-25 (public-webapps-github@w3.org from April 2023)

From: Dominic Farolino <notifications@github.com>
Date: Tue, 25 Apr 2023 08:03:39 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/838@github.com>
こんにちは TAG-さん!

I'm requesting a TAG review of fenced frames.

**Overview of proposal**
In a web that has its cookies and storage partitioned by top-frame site, there are occasions (such as [Interest group based advertising](https://github.com/WICG/turtledove) or [Conversion Lift Measurements](https://github.com/w3c/web-advertising/blob/master/support_for_advertising_use_cases.md#conversion-lift-measurement)) when it would be useful to display content from different partitions in the same page. This can only be allowed if the documents that contain data from different partitions are isolated from each other such that they're visually composed on the page, but unable to communicate with each other. Iframes do not suit this purpose since they have many communication channels with their embedding frame (e.g., postMessage, URLs, size attribute, name attribute, etc.). We propose fenced frames, a new element to embed documents on a page, that explicitly prevents communication between the embedder and the frame.

**Delta**
Please note that previously we had an early-review TAG design review that had resolved positively: https://github.com/w3ctag/design-reviews/issues/735#issuecomment-1226822420. Since then, our spec has become considerably more fleshed out, and parts of our API surface have changed substantially, captured in https://github.com/WICG/fenced-frame/blob/master/explainer/fenced_frame_config.md: more or less, we've removed the `src` attribute from the fenced frame element, in favor or manipulating the element with the new `FencedFrameConfig` interface, which can be returned from various APIs related to this proposal, such as [Private Audience](https://github.com/wicg/turtledove) and [Shared Storage](https://github.com/WICG/shared-storage/).

**Details**
  - Explainer (minimally containing user needs and example code): https://github.com/WICG/fenced-frame/blob/master/explainer/README.md
  - Specification URL: https://wicg.github.io/fenced-frame/
  - Tests: https://github.com/web-platform-tests/wpt/tree/master/fenced-frame
  - User research: N/A
  - Security and Privacy self-review: https://github.com/WICG/fenced-frame/blob/master/explainer/TAG_Security_Privacy_Questionnaire.md
  - Primary contacts (and their relationship to the specification):
      - Dominic Farolino @domfarolino, editor of the spec; Shivani Sharma @shivanigithub (primary explainer author and champion of fenced frames)
  - Organization(s)/project(s) driving the specification: Google Chrome Privacy Sandbox
  - Key pieces of existing multi-stakeholder review or discussion of this specification:
    - https://github.com/w3ctag/design-reviews/issues/735
    - https://github.com/mozilla/standards-positions/issues/781
    - https://github.com/WebKit/standards-positions/issues/173
  - External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
    - https://github.com/WICG/fenced-frame/issues
    - https://chromestatus.com/feature/5699388062040064
    - https://chromestatus.com/feature/5100526168440832

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Relevant time constraints or deadlines: Per https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline, Google Chrome is planning to launch the privacy sandbox APIs in Q3 of 2023
  - The group where the work on this specification is currently being done: WICG
  - The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): WHATWG HTML Standard
  - Major unresolved issues with or opposition to this specification: At the time of writing, while most of the spec infrastructure exists, we are currently in the process of spec'ing our integration with the following (though the behavior is already clear from our explainers):
    - [Permissions policy](https://github.com/WICG/fenced-frame/pull/74)
    - Sandboxing flags
    - [Private network access](https://github.com/WICG/fenced-frame/pull/73)
    - [Event reporting](https://github.com/WICG/fenced-frame/pull/78) and its associated Fetch integration
  - This work is being funded by: Google Chrome

We'd prefer the TAG provide feedback as:

  💬 leave review feedback as a **comment in this issue** and @-notify [GitHub usernames]

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/838
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/838@github.com>
Received on Tuesday, 25 April 2023 15:03:44 UTC