Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
Replying to
The best I can come up with is to have each iframe open a WebSocket to a server which can coordinate, but I don’t see how to guard again an attacker posing as a sibling iframe and receiving secure data.
5
5
A concrete instantiation of the problem: imagine a page has three YouTube embeds and these security constraints. The user signs into YouTube via UI in one embed. You’d like the other embeds to also become signed in.
2
This question brought to you by: why do Chrome and Firefox disable access to *session* storage when third-party cookies are disabled? It’s not even persistent! What’s the threat model? Bluh.
2
4
Kevin wins! 👏 This approach works in both Chrome and Firefox with third-party cookies blocked.
Safari doesn’t implement BroadcastChannel, but it *does* allow session storage, so I can communicate that way in Safari.
Quote Tweet
Replying to @andy_matuschak
Would BroadcastChannel work?
2
12
This Github issue implies that the Powers are thinking about removing access to BroadcastChannel in this context, unfortunately. Hm hm…
1
4
Brilliant! Just tested. It works for all security settings in Chrome, and for “strict” settings in Firefox (but not “block *all* cookies”, for whatever reason). Outstanding, Kevin!!!
1
3
Show replies
Replying to
I think this should do it
3
1
1
Possible security issue since you'll have to somehow verify which iframes are yours. Maybe you have to challenge/response with a hash using a shared secret obtained from the server
Replying to
I guess there's also the "redesign not to have iframes" hot take, which you may have discarded at first, but maybe there's a way, if contrived, to make it work that is more robust longer term
1
Right. This is for Orbit, obviously. I can make it work better if the publisher’s willing to let me execute JS, but that’s often not possible: I’d like Orbit to be embeddable in Medium, Notion, WordPress, Confluence, etc, and that means sandboxed iframes.
2
1
3
Show replies