annevk
commented
1 year ago I think the first paragraph of https://privacycg.github.io/storage-access/#cookies captures this intent, but the later paragraphs are indeed lacking.
From a browser architecture perspective it's also somewhat lacking that the website process would be able to hold this kind of authoritative state, but that's probably more reasonable to gloss over.
johannhof
While working on the per-frame changes in Chromium, I've realized that there's a bit of an edge case that (IMO) does something unexpected.
Suppose a document on site A embeds two iframes (siblings) on sites B and C. Both iframes call
document.requestStorageAccess()and both calls resolve. Now, say iframe C makes a subresource request to a URL on site B. Will this request be credentialed?As currently specified, yes, I think it will (though the spec is a little hand-wavy in this area). By assumption, the C iframe's environment has the
has storage accessbit set, so theHTTP-network-or-cache fetchalgorithm anddocument.cookiealgorithms will use the relevantstorage-accesspermission grant to attach cookies to the request. But the request's top-level site (A) and URL (B) mean that the permission grant which is relevant to the request is the one keyed by<A, B>. This grant cannot possibly have been obtained by the C iframe. So the C iframe is benefiting from the grant that its sibling obtained, not the one that it obtained on its own.To me, it would seem more consistent to say that a given embedded context can only get access to its own cookies. I.e., that the C iframe can only send credentialed requests to C, regardless of what other permission grants have been created under the same top-level site.
Let me know what you all think. I think making this change would be positive from a security standpoint, but I'm not sure if there are legitimate use cases that would be broken by this restriction.