Top-level sites and Clear-Site-Data
DCtheTall opened this issue · comments
At the time of writing this, the explainer currently states that browsers give top-level sites the ability to clear third parties' cookies by sending a Clear-Site-Data header.
In other words, say example[1-10].com
set cookies under toplevel.com
's partition. Then toplevel.com
could send a Clear-Site-Data header in a response which would clear all of example[1-10].com
's cookies in the toplevel.com
partition.
I am opening this issue because I am less convinced that this is functionality is either necessary or a good idea.
@annevk mentioned in the storage partitioning repo that this could allow malicious first parties to interfere with code running on third-party frames.