Attacks on credentialed cross-site resources that aren't fully mitigated through CORS

[johannhof]

This proposal uses CORS as a primary measure to protect embedded subresources from being attacked through credentialed requests (primarily cross-site leaks) in browsers that have cross-site cookies blocked. Because blocking cross-site cookies isn't the default in all browsers, developers currently have to mitigate these attacks through other means, but it's reasonable to expect a shift in the platform to improve security as much as possible and also to come with a mindset shift for developers that will get less diligent about edge cases like rSAFor grants. This is also the motivation for the existing CORS requirement.

As such, it seems reasonable to consider attacks that aren't (fully) mitigated through requiring CORS, such as CSRF or response-time leaks on CORS-enabled requests (@arturjanc mentioned this to me and I hope I'm remembering it right). Similar to #29, it would be good to enable a mechanism that allows for better opt-in by the third party for enabling rSAFor on the first party.

cc @arturjanc @annevk

[aselya]

Prior to the introduction of Storage Access Headers (SAH), CORS was the best possible protection for sites using rSAFor. However, (as mentioned in the previous comment) CORS does not fully mitigate attacks in this situation.

CORS allows the top-level site to read the bytes of the responses and response headers when fetching the embedded resource. This exposes the embedded site to attack vectors that are larger in scope than the attaching of unpartitioned cookies, the functionality that rSAFor API is attempting to achieve. This is undesirable for security reasons.

CORS also enables the top-level site to attack the embedded site, by sending (CORS-enabled) credentialed requests to arbitrary endpoints on the embedded site, without requiring any opt-in from the embedded site prior to the requests being made. This is undesirable because it makes it possible for a CSRF attack to be initiated on the embed from the top-level site.

rSAFor should transition from using CORS to SAH because it is specifically designed for a storage access context and directly addresses these two significant issues that the use of CORS causes.