jkarlin
commented
6 years ago Another option is to remove enforcement completely. We could just report via Reporting API that the frame violated the size policy and the embedder can take action. One reasonable action would be to pause the frame.
As written in the explainer, once a frame violates it is no longer allowed to request resources, but is otherwise allowed to run. It seems useful to have some sort of default enforcement (to make it more like other sandboxy apis). But it may also be useful to only provide a report and not stop future requests, allowing the embedding page to deal with the violating frame (if at all).
Use case 1: Measure how often frames violate without disabling them. Use case 2: Alternative violation enforcement, such as displaying a warning.