I2I: support "disallowDocumentAccess" for same-origin-iframes

[dvoytenko]

Summary

Support the new disallowDocumentAccess API and allow same-origin iframes in AMP.

The main impact of this proposal is the removal of AMP's Iframe origin policy.

Design document

The disallowDocumentAccess API prevents cross-context DOM access even for same-origin iframes.

There are two reasons why we currently disallow same-origin iframes:

1. We cannot guarantee that they would be portable. I.e. we can't be certain that these iframes will run correctly both on origin and from Cache.
2. We cannot assure AMP performance and layout guarantees. Even if the AMP page is fully valid statically, a same origin iframe can manipulate its content on Cache and break the gurantees.

The amp-iframe will automatically set disallowDocumentAccess and allow sandbox="allow-same-origin" iframes.

The main issue with this proposal is that disallowDocumentAccess API is currently only available in Chromium-based browsers. This means that AMP pages could possibly violate AMP guarantees on non-supporting browsers. This proposal relies on several nuances:

1. We don't have issues on Cache since allow-same-origin only affects pages at origin.
2. Chrome is a popular browser. A developer would be discouraged from deploying features that do not work on Chrome and/or do not work on Cache.
3. Chrome DevTools is a popular tool. Many developers develop and debug with Chrome DevTools and thus any violation of the disallowDocumentAccess would be noticed sooner.

/cc @ampproject/wg-approvers
/cc @cramforce @dtapuska

[cramforce]

It was always possible to work-around via redirect, so this is not a security issue

[dvoytenko]

Right. This is not a security feature, but rather a consistency and avoid-the-bugs issue mainly.

[dvoytenko]

Unfortunately the spec change has not been approved in Chrome. There will be other attempts to solve same-origin iframe isolation, but it will be done in a different way with a different API.