Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
The best I can come up with is to have each iframe open a WebSocket to a server which can coordinate, but I don’t see how to guard again an attacker posing as a sibling iframe and receiving secure data.
5
5
A concrete instantiation of the problem: imagine a page has three YouTube embeds and these security constraints. The user signs into YouTube via UI in one embed. You’d like the other embeds to also become signed in.
Replying to
This question brought to you by: why do Chrome and Firefox disable access to *session* storage when third-party cookies are disabled? It’s not even persistent! What’s the threat model? Bluh.
2
4
Kevin wins! 👏 This approach works in both Chrome and Firefox with third-party cookies blocked.
Safari doesn’t implement BroadcastChannel, but it *does* allow session storage, so I can communicate that way in Safari.
Quote Tweet
Replying to @andy_matuschak
Would BroadcastChannel work?
2
12
This Github issue implies that the Powers are thinking about removing access to BroadcastChannel in this context, unfortunately. Hm hm…
1
4
Replying to
Does YouTube actually let you sign in in an embed/iframe? I think there are a few security issues with letting users sign in to things inside an iframe.
1
No, they don’t. There are quite a few things that make it difficult! I’ve been slowly working through them.