Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
The best I can come up with is to have each iframe open a WebSocket to a server which can coordinate, but I don’t see how to guard again an attacker posing as a sibling iframe and receiving secure data.
5
5
A concrete instantiation of the problem: imagine a page has three YouTube embeds and these security constraints. The user signs into YouTube via UI in one embed. You’d like the other embeds to also become signed in.
2
This question brought to you by: why do Chrome and Firefox disable access to *session* storage when third-party cookies are disabled? It’s not even persistent! What’s the threat model? Bluh.
2
4
Cross-site tracking within a single browsing session is the threat model, I'm pretty sure? /cc
2
1
Right, but Safari solves that by double-keying / partitioning sessionStorage, right?
Yeah, double-keying is generally better, but it breaks more sites (infinite redirect loops etc.) and needs exception lists. Evangelism is ongoing to hopefully switch everything to double-keying in the medium-term future.
1
1