Incompatible with a CSP sandbox

[Mixesoft]

When the topmost frame document have the following CSP header: Content-Security-Policy: sandbox allow-same-origin allow-scripts allow-top-navigation-by-user-activation;

In the Chrome console the following warning appears: Can't create a fenced frame. A sandboxed document can load fenced frames only when all of the following permissions are set: allow-same-origin, allow-forms, allow-scripts, allow-popups, allow-popups-to-escape-sandbox and allow-top-navigation-by-user-activation.

Latest Chrome stable channel, Privacy Sandbox trial on. Is this the intended functionality? Why does the fenced frame require all the permissions set for the topmost frame? it's a lack of security at all for the top frame. So what is the goal then?

[domfarolino]

Yes this is intended.

Why does the fenced frame require all the permissions set for the topmost frame?

It does not require "all the permissions". Please see https://github.com/WICG/fenced-frame/blob/master/explainer/README.md#security-considerations which points to a document that describes in detail which sandbox flags must be allowed for an embedding environment to be considered suitable for a fenced frame. At the moment the set is static across fenced frames but will soon be actually defined by each config-generating API (i.e., Protected Audience and Shared Storage at the moment), who define which sandbox flags must be enabled for a given FencedFrameConfig object to load in an environment. These considerations are made based on what the content represented by each FencedFrameConfig expects to be able to do in its environment.

[Mixesoft]

Thanks for the detailed answer! It's just that currently we can't use sandbox for the topmost window., because AdSense code (https://securepubads.g.doubleclick.net/static/topics/topics_frame.html) can't create fenced frame.

[domfarolino]

You can use CSP sandbox flags, just limited to a certain set of flags. If we allowed any flags, including ones that prevented ads from doing what they expect or need to do, this could be used as a trivial communication channel between the top page and the ad, which harms user privacy and is precisely the thing we're trying to prevent with this proposal. If possible, using a more lenient set of flags would be the best way forward.

[domfarolino]

I'm going to close this since I don't think there is any action we can take here that won't compromise user privacy. Please feel free to comment further or re-open the issue if you'd like to continue the dialogue, as we're happy to help further if we can.