Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How is the top-level frame's information protected from anonymous iframe? #27

Open
shhnjk opened this issue Feb 8, 2022 · 1 comment
Open

How is the top-level frame's information protected from anonymous iframe? #27

shhnjk opened this issue Feb 8, 2022 · 1 comment

Comments

@shhnjk
Copy link

shhnjk commented Feb 8, 2022

From the explainer, it looks like top-level frame doesn't need to be anonymous (i.e. can have access to sensitive data/storage).
In a scenario where UA doesn't support OOPIF, how is the data in top-level frame protected from an anonymous iframe (if the anonymous iframe was evil)?
@camillelamy
Copy link
Owner

The top-level frame would need to set COOP and COEP to have access to crossOriginIsolated API. It would be vulnerable from an attack from a subframe it embeds, though that is already the case with crossOriginIsolation right now. To mitigate this threat, cross-origin subframes do not have access to crossOriginIsolated APIs unless the top-level frame delegates them the permission using Permission Policy. Anonymous iframes would not change the situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shhnjk @camillelamy