On Thu, Aug 22, 2019 at 4:26 AM Martin Thomson <m...@mozilla.com> wrote: > What is the tuple we're keying on?
Top-level origin only. This still allows C to attack B in your scenario (or vice versa). There's a variety of other side channel attacks on "<iframe> sites" too, including various members of the Window object, history.length, and clickjacking. It would also allow B or C to attack A, though there's a number of other things possible there too. I definitely think it's worth figuring out how we can enable "<iframe> sites" to better protect themselves as well as figuring out how to improve sandboxing of "<iframe> sites", but it would require a broader effort than caches I think. I think isolating by top-level origin is a huge improvement over the status quo and stops a fair number of practical attacks against major sites (modulo popup attacks, see Cross-Origin-Opener-Policy for that). (Many of which you can't frame to be clear, due to X-Frame-Options.) _______________________________________________ dev-platform mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-platform