Expanding on the risks of embedded frames. Closes w3c#3.

mikewest · mikewest · commit 65262d0a1281 · 2021-02-18T09:54:59.000+01:00
h/t @camillelamy
diff --git a/index.bs b/index.bs
@@ -134,6 +134,11 @@ urlPrefix: https://tc39.es/ecma262/; spec: ECMA262; type: interface
       "href": "https://github.com/annevk/orb",
       "title": "Opaque Response Blocking (ORB, aka CORB++)",
       "authors": [ "Anne van Kesteren" ]
+    },
+    "oopif": {
+      "href": "https://www.chromium.org/developers/design-documents/oop-iframes",
+      "title": "Out-of-Process iframes (OOPIFs)",
+      "authors": [ "Chromium" ]
     }
 }
 </pre>
@@ -190,12 +195,13 @@ The following seems like a good place to start:
 4.  User agents cannot yet consistently seperate framed origins into processes distinct from their
     embedders' origin.
     
-    Note: Though some user agents support out-of-process frames, no agent supports it consistently
-    across a broad range of devices and platforms. Ideally this will change over time, as the
-    frame boundary *ought* to be one we can eventually consider robust.
+    Note: Though some user agents support out-of-process frames [[OOPIF]], no agent supports it
+    consistently across a broad range of devices and platforms. Ideally this will change over time,
+    as the frame boundary *must* be one we can eventually consider robust.
 
 With this in mind, our general assumption will be that an origin gains access to any resource which
-it renders (including images, stylesheets, scripts, frames, etc).
+it renders (including images, stylesheets, scripts, frames, etc). Likewise, embedded frames gain
+access to their ancestors' content.
 
 ISSUE: [[COI-THREAT-MODEL]] spells out more implications. Bring them in here for more nuance.
 
diff --git a/index.html b/index.html
@@ -1486,7 +1486,7 @@
 </style>
   <meta content="Bikeshed version c5172e83, updated Fri Nov 20 15:35:20 2020 -0800" name="generator">
   <link href="https://mikewest.github.io/post-spectre-webdev/" rel="canonical">
-  <meta content="ed11a2d628efeb89c6b15fe0bc31751f3af90475" name="document-revision">
+  <meta content="b5540d7b5844f99a1e1011bcfe25f082a9df641c" name="document-revision">
 <style>/* style-autolinks */
 
 .css.css, .property.property, .descriptor.descriptor {
@@ -2043,7 +2043,7 @@
   <div class="head">
    <p data-fill-with="logo"></p>
    <h1 class="p-name no-ref" id="title">Post-Spectre Web Development</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">A Collection of Interesting Ideas, <time class="dt-updated" datetime="2021-02-17">17 February 2021</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">A Collection of Interesting Ideas, <time class="dt-updated" datetime="2021-02-18">18 February 2021</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -2058,7 +2058,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="cont
    <div data-fill-with="warning"></div>
    <p class="copyright" data-fill-with="copyright"><a href="http://creativecommons.org/publicdomain/zero/1.0/" rel="license"><img alt="CC0" src="https://licensebuttons.net/p/zero/1.0/80x15.png"></a> To the extent possible under law, the editors have waived all copyright
 and related or neighboring rights to this work.
-In addition, as of 17 February 2021,
+In addition, as of 18 February 2021,
 the editors have made this specification available under the <a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0" rel="license">Open Web Foundation Agreement Version 1.0</a>,
 which is available at http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0.
 Parts of this work may be from another specification document.  If so, those parts are instead covered by the license of that specification document. </p>
@@ -2156,12 +2156,13 @@ <h3 class="heading settled" data-level="1.1" id="threat-model"><span class="secn
     <li data-md>
      <p>User agents cannot yet consistently seperate framed origins into processes distinct from their
 embedders' origin.</p>
-     <p class="note" role="note"><span>Note:</span> Though some user agents support out-of-process frames, no agent supports it consistently
-across a broad range of devices and platforms. Ideally this will change over time, as the
-frame boundary <em>ought</em> to be one we can eventually consider robust.</p>
+     <p class="note" role="note"><span>Note:</span> Though some user agents support out-of-process frames <a data-link-type="biblio" href="#biblio-oopif">[OOPIF]</a>, no agent supports it
+consistently across a broad range of devices and platforms. Ideally this will change over time,
+as the frame boundary <em>must</em> be one we can eventually consider robust.</p>
    </ol>
    <p>With this in mind, our general assumption will be that an origin gains access to any resource which
-it renders (including images, stylesheets, scripts, frames, etc).</p>
+it renders (including images, stylesheets, scripts, frames, etc). Likewise, embedded frames gain
+access to their ancestors' content.</p>
    <p class="issue" id="issue-340f57a5"><a class="self-link" href="#issue-340f57a5"></a> <a data-link-type="biblio" href="#biblio-coi-threat-model">[COI-THREAT-MODEL]</a> spells out more implications. Bring them in here for more nuance.</p>
    <h3 class="heading settled" data-level="1.2" id="tldr"><span class="secno">1.2. </span><span class="content">TL;DR</span><a class="self-link" href="#tldr"></a></h3>
    <ol>
@@ -2618,6 +2619,8 @@ <h3 class="no-num no-ref heading settled" id="informative"><span class="content"
    <dd>Charlie Reis; Camille Lamy. <a href="https://docs.google.com/document/d/1Ey3MXcLzwR1T7aarkpBXEwP7jKdd2NvQdgYvF8_8scI/edit">Cross-Origin-Opener-Policy Explainer</a>. 2020-05-24. URL: <a href="https://docs.google.com/document/d/1Ey3MXcLzwR1T7aarkpBXEwP7jKdd2NvQdgYvF8_8scI/edit">https://docs.google.com/document/d/1Ey3MXcLzwR1T7aarkpBXEwP7jKdd2NvQdgYvF8_8scI/edit</a>
    <dt id="biblio-long-term-mitigations">[LONG-TERM-MITIGATIONS]
    <dd>Charlie Reis. <a href="https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit">Long-Term Web Browser Mitigations for Spectre</a>. 2019-03-04. URL: <a href="https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit">https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit</a>
+   <dt id="biblio-oopif">[OOPIF]
+   <dd>Chromium. <a href="https://www.chromium.org/developers/design-documents/oop-iframes">Out-of-Process iframes (OOPIFs)</a>. URL: <a href="https://www.chromium.org/developers/design-documents/oop-iframes">https://www.chromium.org/developers/design-documents/oop-iframes</a>
    <dt id="biblio-orb">[ORB]
    <dd>Anne van Kesteren. <a href="https://github.com/annevk/orb">Opaque Response Blocking (ORB, aka CORB++)</a>. URL: <a href="https://github.com/annevk/orb">https://github.com/annevk/orb</a>
    <dt id="biblio-post-spectre-rethink">[POST-SPECTRE-RETHINK]
