#735: Review request for Fenced Frames

Visit on Github.

Opened Apr 29, 2022

Braw mornin' TAG!

I'm requesting a TAG review of Fenced Frames.

In a web that has its cookies and storage partitioned by top-frame site, there are occasions (such as Interest group based advertising or Conversion Lift Measurements) when it would be useful to display content from different partitions in the same page. This can only be allowed if the documents that contain data from different partitions are isolated from each other such that they're visually composed on the page, but unable to communicate with each other. Iframes cannot be used for this purpose since they have several communication channels with their embedding frame (e.g., postMessage, URLs, size attribute, etc.). We propose fenced frames, a new element to embed documents on a page, that explicitly aims to prevent communication between the embedder and the frame.

Further details:

  • [✓ ] I have reviewed the TAG's Web Platform Design Principles
  • The group where the incubation/design work on this is being done: WICG
  • The group where standardization of this work is intended to be done: WHATWG
  • Existing major pieces of multi-stakeholder review or discussion of this design:
  • Major unresolved issues with or opposition to this design:
    • There are some ongoing technical constraints which are being brainstormed as described in Privacy Considerations but no known opposition.
  • This work is being funded by: Google

We'd prefer the TAG provide feedback as:

🐛 open issues in our GitHub repo for each point of feedback

Security/Privacy Questionnaire

This section contains answers to the W3C TAG Security and Privacy Questionnaire. This section is also documented here.

  1. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?

    Fenced frames can be viewed as a more private and restricted iframe. As such, the element does not inherently expose any new information to web sites or third parties. However, fenced frames are intended to contain data that belongs to a partition other than the top-frame’s storage partition e.g. the rendering url in TURTLEDOVE reflects the interest group of the user which may be derived from user activity in another partition. Therefore it is necessary for the fenced frame to attempt to block communications between the fenced frame and its embedder. Fenced frames remove explicit web-platform communication channels between the two (such as postMessage) and many side channels e.g. size, programmatic focus, policy delegation etc. but some side channels still exist and we will continue to work to mitigate them.

  2. Do features in your specification expose the minimum amount of information necessary to enable their intended uses?

    Yes, see above answer for ways information exposure is minimized.

  3. How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?

    Fenced frames do not inherently provide personal information, PII or information derived from them.

  4. How do the features in your specification deal with sensitive information?

    Same answer as # 3.

  5. Do the features in your specification introduce a new state for an origin that persists across browsing sessions?

    No.

  6. Do the features in your specification expose information about the underlying platform to origins?

    No

  7. Does this specification allow an origin to send data to the underlying platform?

    No

  8. Do features in this specification allow an origin access to sensors on a user’s device

    No

  9. What data do the features in this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.

    Same answer as # 1.

  10. Do features in this specification enable new script execution/loading mechanisms?

    No

  11. Do features in this specification allow an origin to access other devices?

    No

  12. Do features in this specification allow an origin some measure of control over a user agent’s native UI?

    No

  13. What temporary identifiers do the features in this specification create or expose to the web?

    None.

  14. How does this specification distinguish between behavior in first-party and third-party contexts?

    Fenced frames are always present as embedded frames. In terms of communication restrictions from the embedding page, they behave almost like a separate tab but fenced frames do not get access to first-party storage/cookies. A fenced frame document gets access to a nonce-based ephemeral cookie and storage partition.

  15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?

    No difference with a regular mode browser

  16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections?

    Yes.

  17. Do features in your specification enable origins to downgrade default security protections?

    No

  18. What should this questionnaire have asked?

    N/A

Discussions

2022-06-06

Minutes

punted

2022-06-13

Minutes

Amy: (1) what's the catch and (2) why would anyone use it? It's tight for privacy... so why would anyone choose to use it?

Amy: it says "this can only be allowed if the documents are isolated" but allowed by whom? Is the assumption that.

Dan: leave a comment asking this so we can probe this issue?

Amy: is it assuming 3rd party cookies going away?

Yves: don't think so...

Dan: I'll note that chrome status shows no signals from other engines... It's in WICG now but they are thinking about moving it to WHATWG. So my question would be: do they have consensus in WHATWG-land?

From our initial review we think this looks great from a privacy perspective.

Regarding the use cases that Fenced Frames are meeting - how are they currently achieved? What will motivate developers to move to Fenced Frames instead?

We see you expect to move this work to WHATWG - are there positive signals from other implementers in the WHATWG community?  Because right now that is not reflected in Chromestatus.
2022-08-22

Minutes

close satisfied with concerns

Thanks again for requesting a review. We're happy with the goals of this work, and think it will be a positive addition to the web platform in the absence of third-party cookies.

We have general concerns about negative impacts if/when it is implemented before third-party cookies are completely phased out. We also remain concerned about how the threat model is changed (eg. introducing new side-channels) when it is used in combination with other work that is emerging to meet use cases which previously needed third-party cookies, in particular the other work coming out of the Privacy Sandbox initiative. We look forward to your ongoing work on ensuring Fenced Frames is sufficiently secure and privacy preserving in the context of the wider ecosystem, and will appreciate another review request when the work has progressed further and with input from other stakeholders.

Peter: LGTM

Dan: LGTM

Tess: Looks fine

Hadley: if we look at this again in 6 months will we remember what "other work" means?

Amy: it's in reference to the vague potential issues about privacy sandbox introducing side channnels...

Hadley: more concrete? can we say "used in other combination with other privacy sandbox work"?

Amy: when we draft this finding about deprecation of 3rd party cookies that could address some of those concerns.

some additional wordsmithing

Peter: ship it! 🐿

2022-08-22

Minutes

Amy: reading through conversation that's happebed..

Dan: there was discussion of the frame-like things.. Dominic answered the question in June about work going on on this.. their issue 6315.. doesn't necessarily..

Rossen: one question Peter asked was answered.. you would know whether you're being fenced ... Having ads that are running inside of a fence vs non-fenced frame I can see them behave differently. Would that matter?

Dan: comes back to the question of what will motivate developers to move to fenced frames instead. I think the answer is they will be compelled to

Amy: there will be functionality they will need that will go away with deprecation of 3rd party cookies... but share concern about what an ad will do if it knows it's in a fenced frame. but if we assume 3rd party cookies are gone then there's nothing they can do that would be harmful because theu wouldn't have acces... but in the period of transition time it could be an issue with ads taking the opportunity to collect extra data from cookies when they know they are embedded by a publisher using a fenced frame... but that might be out of scope...

Peter: is it similar to the COEP thing where ads can tell if they're not in a fenced frame...

Amy: that would depend on presence of 3rd party cookies...

Amy: .. use cases other than ads ..

Rossen: shopify and other shopping scenarios .. could be a decent use case.

Amy: also some feedback from Lukasz - wasn't well responded to - he suggested removing access to a clock - they said they considered it but won't do that... but I also think they're discussing in the group. Something to keep an eye on.

Dan: multi-stakeholder issue in that there is none.

Peter: main concern in the past was additional side channels between document and fenced frame.

Amy: close with concerns - slightly suspicious concerns - would like to understand better in future, in the context of when 3rd party cookies go away or other things in privacy sandbox. But satisfied with direction of travel.

Peter: makes sense to me. Corresponds with previous discussion. It's a good thing but worried about other privacy sandbox things that open up side channels. This by itself is OK. Maybe closing satisfied with concerns makes sense here and keep track of other things?

Rossen: nods sagely while petting dog

Amy: [will write comment]