Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
The best I can come up with is to have each iframe open a WebSocket to a server which can coordinate, but I don’t see how to guard again an attacker posing as a sibling iframe and receiving secure data.
5
5
A concrete instantiation of the problem: imagine a page has three YouTube embeds and these security constraints. The user signs into YouTube via UI in one embed. You’d like the other embeds to also become signed in.
2
This question brought to you by: why do Chrome and Firefox disable access to *session* storage when third-party cookies are disabled? It’s not even persistent! What’s the threat model? Bluh.
2
4
Kevin wins! 👏 This approach works in both Chrome and Firefox with third-party cookies blocked.
Safari doesn’t implement BroadcastChannel, but it *does* allow session storage, so I can communicate that way in Safari.
Quote Tweet
Replying to @andy_matuschak
Would BroadcastChannel work?
2
12
This Github issue implies that the Powers are thinking about removing access to BroadcastChannel in this context, unfortunately. Hm hm…
Replying to
Worrying again :)
Most of the complexity of modern dev is downstream from Bad Guys
1
1