There seems to be consensus that given the security properties of per-frame rSA it's reasonable to go back to (site, site) as the permission key. This would have the advantage that adjacent same-site iframes would be able to observe when storage access was available, without exposing these iframes to immediate storage access. It would also codify the user-visible permission grant level that most browsers will likely apply.
There seems to be consensus that given the security properties of per-frame rSA it's reasonable to go back to (site, site) as the permission key. This would have the advantage that adjacent same-site iframes would be able to observe when storage access was available, without exposing these iframes to immediate storage access. It would also codify the user-visible permission grant level that most browsers will likely apply.