This repository was archived by the owner on Mar 5, 2026. It is now read-only.
This repository was archived by the owner on Mar 5, 2026. It is now read-only.
Consider removing the integration with permissions #49
Description
Allowing a top-level site to query their embeds for the existence of top-level-storage-access, violates the same origin policy. As doing so exposes information about the state of the embed, to the top-level.
The ability to query the permission, while useful for the top-level site, can be exploited by a malicious top-level site to coerce users into granting storage access to embedded sites. As the top-level site would be able to use the results of querying the permission to see if top-level-storage-access has been granted. A malicious site could then manipulate the user by using UX elements other means to prevent the user from interacting with the embedded site until storage access has been granted.