[mediaqueries-5] Security questions for preference overrides

[lukewarlow]

See WICG/web-preferences-api#18

cc @ArthurSonzogni

Nice feature! I can't wait to see it implemented. This would have been handy for me in the past. Thanks for working on this!

I came here to prepare some preliminary web platform security/privacy reviews after Chrome's intent-to-prototype was posted. There are some ambiguities / open questions. Here is a list of questions I had in mind:

• Could you fill out the Security/Privacy questionnaire? This might help.

• What entity "stores" the data? Is it per-document, per-tab, per-origin, per-domain, etc... I guess this is going to be per-origin because we want some kind of persistency over navigations.

• What about iframes? I have read issues 8, but it is still unclear to me:
  • Does an iframe have some kind of persisted state it can use if the document in the parent frame doesn't override? What about the interactions with Storage partitioning?
  • What about the interactions with the planned portals? They are some kind of document in an iframe, but it could become top-level document too.
  • What about the interactions with the planned FencedFrame. I know they have some "mode" where they guarantee there are no mean of communications in between the two documents across the boundary.
  • Can a document in an iframe provides an override? Does it propagate above/below in the frame tree?
  • There are also iframe credentialless to think about. I don't really have concerns about them.

• What about popups?
  • How does it fit with last week intent about partitionning popups?
  • In particular what about Cross-Origin-Opener-Policy: same-origin. I know it guarantees documents from the two side aren't going to influence each other.
  • In particular, what about the planned Cross-Origin-Opener-Policy: restrict-properties? @camillelamy might have an opinion.

• How does an override propagate?
  • Can a document "listen" for change? Would it be useful?
  • With a multi process architecture, the update is going to take some time. Do we have to ensure the events are properly ordered with some others? Maybe properly ordered with PostMessage? Maybe it doesn't matter and we can keep it it user-agent specific. I don't know.

• What happens when the user-agent's global preferences are updated?
  • Does the current document "see" the update if it doesn't provide an override?
  • Does the user's agent's update overrides the origin's overrides?
  • What about the user asking the user-agent to "clear" all the website data?

---

I did not think about it for long. I hope this will end up with something easy to understand:

1. Data is stored per origin and used only by top-level documents in secure context. We consider a top-level document to be the topmost document in normal tree, FencedFrame tree, Portal Tree, etc...
2. Iframe fully inherit from the parent. They don't provide an override.
3. No popup-inheritance. You can only inherit via the "origin".

---

I don't intend every questions to be replied inline. Feel free for the ones you want, or you can edit my post and cross the checkbox when the explainer contains an answer.

[lukewarlow]

Much of this should probably be split into its own issues, but I think it's important we don't lose these questions.