Unclear threat model to achieve no scripting

[shhnjk]

This is similar to #2 by @bzbarsky, but how this spec can achieve following goal is bit unclear.

Be able to embed iframes that have same-origin as other frames in the frame tree but not be able to directly script them.

Accessing location.href getter of cross-origin WindowProxy is prohibited but setter isn't. So I think iframe with disallowdocumentaccess attribute can just execute parent.location.href = "javascript:alert(1)" and directly script the parent frame, because existing check of navigating to JavaScript URL is a same-origin check.

Second example I can think of, is if parent frame has a service worker, then the iframe can change CacheStorage content and therefore change either entire content of parent frame or certain subresources in next navigation (assuming that the service worker has event listener to fetch and checks for cache).

The performance benefit makes sense 🙂 But I'm bit worried if people starts using this feature as a security feature, just like sandbox attribute.