Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?

The best I can come up with is to have each iframe open a WebSocket to a server which can coordinate, but I don’t see how to guard again an attacker posing as a sibling iframe and receiving secure data.

A concrete instantiation of the problem: imagine a page has three YouTube embeds and these security constraints. The user signs into YouTube via UI in one embed. You’d like the other embeds to also become signed in.

This question brought to you by: why do Chrome and Firefox disable access to *session* storage when third-party cookies are disabled? It’s not even persistent! What’s the threat model? Bluh.

Kevin wins! 👏 This approach works in both Chrome and Firefox with third-party cookies blocked.

Safari doesn’t implement BroadcastChannel, but it *does* allow session storage, so I can communicate that way in Safari.

This Github issue implies that the Powers are thinking about removing access to BroadcastChannel in this context, unfortunately. Hm hm… github.com/whatwg/html/is…