camillelamy
commented
2 years ago The top-level frame would need to set COOP and COEP to have access to crossOriginIsolated API. It would be vulnerable from an attack from a subframe it embeds, though that is already the case with crossOriginIsolation right now. To mitigate this threat, cross-origin subframes do not have access to crossOriginIsolated APIs unless the top-level frame delegates them the permission using Permission Policy. Anonymous iframes would not change the situation.
From the explainer, it looks like top-level frame doesn't need to be anonymous (i.e. can have access to sensitive data/storage). In a scenario where UA doesn't support OOPIF, how is the data in top-level frame protected from an anonymous iframe (if the anonymous iframe was evil)?