WICG
Should a parent document have a way to specify directives on specific iframes?
There's some overlap with the ideas here and sandboxed iframes. Should there perhaps be an attribute on iframe to allow a parent document to subject a particular child frame to greater limits than it wants for itself? Eg. maybe it's reasonable to cpu-throttle and ad frame?
That makes total sense, and having more control over what third parties are doing is definitely one of the goals here. I wonder if the granularity of an iframe would be enough though.
Today there are many third parties that are being run in the context of the main page, and a lot of e.g. tracking beacons require to run in the main page's context.
While I'm not excited about that from a security perspective, that's currently a fact of life. So, I guess the question is: do we try to change it? or do we add controls that would enable to throttle e.g. resources coming from certain hosts?
If it's the latter, maybe we can keep the controls as header based directives (that also apply to iframes) rather than markup attributes.
Yeah this is tough. There's a lot of things that would be nice but impractical to implement at sub-iframe granularity (even getting performance isolation of frames is a huge task, but clearly essential).
I dunno, start with something simple that's still valuable and iterate? We continue to add new iframe sandbox attributes, so maybe that's orthogonal.
AMP allows arbitrary code in iframes, maybe @cramforce has a wishlist of things he wishes the main document could restrict from iframes? We know performance isolation is key, but that's probably largely a separate effort (but if it's opt-in I could imagine a CPP declaration that enforces all cross-origin frames have opted in).
Yep! This might actually be most useful for child frames. I can self restrict myself in any way I want, but it is 3p iframes where today's sites are completely helpless.
