[Per-frame] Permission grants are usable by cross-site iframes

[cfredric]

While working on the per-frame changes in Chromium, I've realized that there's a bit of an edge case that (IMO) does something unexpected.

Suppose a document on site A embeds two iframes (siblings) on sites B and C. Both iframes call document.requestStorageAccess() and both calls resolve. Now, say iframe C makes a subresource request to a URL on site B. Will this request be credentialed?

As currently specified, yes, I think it will (though the spec is a little hand-wavy in this area). By assumption, the C iframe's environment has the has storage access bit set, so the HTTP-network-or-cache fetch algorithm and document.cookie algorithms will use the relevant storage-access permission grant to attach cookies to the request. But the request's top-level site (A) and URL (B) mean that the permission grant which is relevant to the request is the one keyed by <A, B>. This grant cannot possibly have been obtained by the C iframe. So the C iframe is benefiting from the grant that its sibling obtained, not the one that it obtained on its own.

To me, it would seem more consistent to say that a given embedded context can only get access to its own cookies. I.e., that the C iframe can only send credentialed requests to C, regardless of what other permission grants have been created under the same top-level site.

Let me know what you all think. I think making this change would be positive from a security standpoint, but I'm not sure if there are legitimate use cases that would be broken by this restriction.

[annevk]

I think the first paragraph of https://privacycg.github.io/storage-access/#cookies captures this intent, but the later paragraphs are indeed lacking.

From a browser architecture perspective it's also somewhat lacking that the website process would be able to hold this kind of authoritative state, but that's probably more reasonable to gloss over.

[johannhof]

Yeah it's somewhat implied that fetch or the cookie store would do a same-site check between the request url origin and the embedded site, but I agree that this isn't clear enough. From my perspective I'd welcome a PR to that effect :)