Consider affordance for embedded frames in extension pages based on externally_connectable

[vardhman-singh-glean]

Currently there is an affordance in place for extensions so that they can embed frames with web origins in extension pages, which will then be treated as first-party. (Reference)

The current affordance however requires an extension to have host_permissions over the web origin.

If the web origin belongs to the extension author, in most cases it wouldn't need or request host permissions since it can directly communicate with the page using sendMessage having declared it as externally_connectable in its manifest.

Having minimal permissions in this case harms the experience since the scenario doesn't fit into the current affordance.

Q: Can we consider extending the affordance to consider frames first party on extension pages if the extension has the embedded webpage origin declared as externally_connectable in its manifest?

[miketaylr]

Currently there is an affordance in place for extensions so that they can embed frames with web origins in extension pages, which will then be treated as first-party. (Reference)

This is true for Chrome's implementation but I'm not sure how other browsers treat extensions. At the very least, it would be good to file this as a feature request at crbug.com/new.

[vardhman-singh-glean]

Have added it in https://issues.chromium.org/issues/338332437 @miketaylr
Though please lmk if I should add more information / examples to the same?

[johannhof]

CC @DCtheTall