Comments (4)
Yes this is intended.
Why does the fenced frame require all the permissions set for the topmost frame?
It does not require "all the permissions". Please see https://github.com/WICG/fenced-frame/blob/master/explainer/README.md#security-considerations which points to a document that describes in detail which sandbox flags must be allowed for an embedding environment to be considered suitable for a fenced frame. At the moment the set is static across fenced frames but will soon be actually defined by each config-generating API (i.e., Protected Audience and Shared Storage at the moment), who define which sandbox flags must be enabled for a given FencedFrameConfig object to load in an environment. These considerations are made based on what the content represented by each FencedFrameConfig expects to be able to do in its environment.
from fenced-frame.
Thanks for the detailed answer! It's just that currently we can't use sandbox for the topmost window., because AdSense code (https://securepubads.g.doubleclick.net/static/topics/topics_frame.html) can't create fenced frame.
from fenced-frame.
You can use CSP sandbox flags, just limited to a certain set of flags. If we allowed any flags, including ones that prevented ads from doing what they expect or need to do, this could be used as a trivial communication channel between the top page and the ad, which harms user privacy and is precisely the thing we're trying to prevent with this proposal. If possible, using a more lenient set of flags would be the best way forward.
from fenced-frame.
I'm going to close this since I don't think there is any action we can take here that won't compromise user privacy. Please feel free to comment further or re-open the issue if you'd like to continue the dialogue, as we're happy to help further if we can.
from fenced-frame.
Related Issues (20)
- Can Shared Storage be used from Fenced Frames during Origin Trials? HOT 2
- Store the beacon's initiator origin in the pending event struct
- How do we embed tags in turtle dove model within fenced frames which return dynamic data from an ad-server HOT 1
- [Spec] Spec "substitute macros" helper.
- [Specification] Spec should clearly outline fenced APIs + fencing principles HOT 4
- Say something about what eventTypes are valid HOT 4
- Add example to introduction
- Spec an API to tell if an opaque-ads fenced frame can load in a given context HOT 1
- Proposal for changes to fenced frames urns/attributes HOT 2
- Capture scroll bubbling and scrollIntoView() behavior differences HOT 1
- Need to split the feature to individual primitives and figure out the best ways to support them HOT 4
- Spec changes are not being published
- https://github.com/publicsuffix/list/commits/master.atom
- What is the behavior of reportEvent in iFrame? HOT 2
- broken link HOT 2
- Define what descendant nodes of a fenced frame element represent
- Remove fenced frame config mapping when urn iframes are removed HOT 1
- Permissions policy "container policy" check should be sufficiently fenced
- Explainer: mention the developer-only flag to enable `FencedFrameConfig` constructor HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fenced-frame.