Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How does this interact with iframes? #8

Open
lukewarlow opened this issue Aug 31, 2023 · 6 comments
Open

How does this interact with iframes? #8

lukewarlow opened this issue Aug 31, 2023 · 6 comments

Comments

@lukewarlow
Copy link
Collaborator

Need to work out the exact specifics with regards to iframes both same-origin and cross-origin.

Same-origin iframes should probably be updated with the parent frame's preference overrides but in an opaque manner.

e.g. if the parent frame sets colorScheme to dark then the iframe should see prefers-color-scheme as dark but shouldn't read navigator.preferences.colorScheme as dark.

Whereas, cross-origin iframes should probably not be updated with the parent frame's preference overrides. This is an unfortunate limitation but is probably necessary to prevent new forms of data exfiltration.
@lukewarlow
Copy link
Collaborator Author

Be interesting to hear thoughts on this. The more circumstances we can pass down this information the better but I understand it may just be an inherent limitation with this ability.

@lukewarlow lukewarlow mentioned this issue Aug 31, 2023
Closed
@tabatkins
Copy link

Instances that cannot communicate with the outside world, like an SVG loaded as an image (which can't run script or invoke external resources) should also be safe to pass the preferences into even when they're cross-origin.

For cross-origin things, we can probably piggyback on another notion of communication. Like, if you can postMessage() you already have an open communication channel, so there's no reason to restrict things. We just don't want to open a new communication channel.

@lukewarlow lukewarlow mentioned this issue Sep 7, 2023
Closed
@ArthurSonzogni ArthurSonzogni mentioned this issue Sep 8, 2023
Open
19 tasks
@lukewarlow
Copy link
Collaborator Author

  • Does an iframe have some kind of persisted state it can use if the document in the parent frame doesn't override? What about the interactions with Storage partitioning?
  • What about the interactions with the planned portals? They are some kind of document in an iframe, but it could become top-level document too.
  • What about the interactions with the planned FencedFrame. I know they have some "mode" where they guarantee there are no mean of communications in between the two documents across the boundary.
  • There are also iframe credentialless to think about. I don't really have concerns about them.

This was referenced Sep 8, 2023
Open
Open
@ArthurSonzogni
Copy link

IMO: Portals and FencedFrame should be considered independant top-level context
shouldn't inherit anything. This is especially important for FencedFrame.

For cross-origin things, we can probably piggyback on another notion of communication. Like, if you can postMessage() you already have an open communication channel, so there's no reason to restrict things. We just don't want to open a new communication channel.

On one side, postMessage is an opt-in. Both side must use the feature, and they can specify/verify the origin they are talking to.
On the other side, with WebPreference the communication happens passively.

They are quite different. Inheriting WebPreference cross-origin would be considered as a new kind of cross-site leak.

@lukewarlow
Copy link
Collaborator Author

Idk that I agree cross origin iframes would be a leak. It's the user's data not the sites, and from that perspective the site can already send it cross origin. So why would this API be any different?

I agree that fencedframes should be completely separate. I think the portals discussion is rather academic given their development seems to have stalled, having said that I'm not overly familiar with them so unsure whether it should behave like a cross origin iframe or a fenced frame.

@jasonwilliams jasonwilliams mentioned this issue Nov 30, 2023
Open
@josephrocca
Copy link

josephrocca commented Nov 11, 2024
edited
Loading

I have two use cases, in case it helps with thinking about this issue:

  1. I have a JSBin/CodePen/Scratch-like platform, where the dev's code runs within a sandboxed cross-origin iframe. I'm trying to encourage devs to make their applications support dark mode. I'd like to have a dark mode toggle within the top-level document so the dev can very easily test their application's dark and light mode as they modify their CSS (i.e. instant switch/toggle which controls the cross-origin child, rather than e.g. full reload required, or having to change their OS-level settings).
  2. However, for the dev to be able to add an easy dark mode toggle for users of their site/application, they'd have their own toggle in their application. But a key point here is that the application runs inside a sandboxed cross-origin iframe even when users are viewing it. This is needed for security of top-level user accounts. So, independent of the parent iframe, the sandboxed, cross-origin, child iframe should be able to use the Web Preferences API (i.e. it ideally should not have to "ask" the parent to change it, though it wouldn't be a dealbreaker for me if it did need to ask the parent, since I could implement a "hack" on top of the API in the child frame, which uses postMessage to the parent behind the scenes).

I'm not sure if these examples do touch upon any important questions here, but I figured I'd add them just in case. Thanks for your work on this proposal!

Edit: Ah, related issue for point 2 above:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tabatkins @josephrocca @ArthurSonzogni @lukewarlow