Add explainer for cross-origin iframe prerendering

Author: domenic

opt-in.md

@@ -34,6 +34,7 @@ This is an [HTTP structured header][http-structured-header] which lists tokens i
 * `uncredentialed-prefetch`
 * `uncredentialed-prerender`
 * `credentialed-prerender`
+* `prerender-cross-origin-iframes`
 
 ## Use cases
 
@@ -67,6 +68,10 @@ _Note: as indicated previously, the first case here is not yet implemented in Ch
 
 With this framework in place, by default, Bob's Star Wars Fan Site's attempt to prerender the List of Best Star Wars Movies document will fail and have no effect. And eventually, `https://docs.example.com/` might update their code to be prerendering aware, by not modifying the user's list of recently-viewed documents while prerendering. Once they've made such updates, `https://docs.example.com/` can add the `Supports-Loading-Mode: credentialed-prerender` header, and now the prerendering will work—giving a fast navigation from Bob's Star Wars Fan Site, with no unintended side effects.
 
+### Prerendering cross-origin iframes
+
+See [the dedicated explainer](./prerendering-cross-origin-iframes.md).
+
 ### Non-preloading cases
 
 There are other contexts on the web platform where novel loading modes are introduced. One of these is [fenced frames](https://github.com/WICG/fenced-frame), which also will use the `Supports-Loading-Mode` opt-in.
@@ -86,14 +91,6 @@ This would be processed only if it appears within the `<head>` element and no `<
 
 The main advantage here is that this may be easier to adopt. In order to make as much content as possible available for uncredentialed preloading, we would like to make it as easy as possible for authors to mark eligible content. We have heard from developers that many of them find it much easier to deploy changes that only affect content than changes which also require server behavior changes, even relatively straightforward ones. For example, these may be managed by different teams or not be possible at all. One example here is that GitHub Pages doesn't allow users to set response headers.
 
-### Application to subframes while prerendering
-
-Currently while prerendering, the loading of all cross-origin subframes are delayed. This prevents attacks similar to those described [above](#cross-origin-same-site-prerender). But of course, it has the cost that some of the benefits of prerendering are absent for such pages.
-
-We could use `Supports-Loading-Mode` to allow subframes to indicate they are OK with being prerendered, using either the `credentialed-prerender` or `uncredentialed-prerender` variants.
-
-It's not 100% clear this is necessary, because after [storage partitioning](https://github.com/privacycg/storage-partitioning/), the "attacks" on these cross-origin subframes would actually be on the subframe origin's partition within the top-level prerendered origin. Arguably, the top-level prerendered origin could be the one making decisions on behalf of its sub-partitions. If we want to start un-delaying cross-origin subframes in the future, we'll need to consider this question more carefully, and discuss it with the storage partitioning community.
-
 ## Redirect handling
 
 This header only needs to be supplied by the final response in any redirect chain. For example, for the `credentialed-prerender` case, `https://example.com/` → `https://a.example.com/` without the header → `https://b.example.com/` with the header succeeds.

prerendering-cross-origin-iframes-security-privacy-questionnaire.md

@@ -0,0 +1,89 @@
+# Security and Privacy Questionnaire: Prerendering cross-origin iframes
+
+> 1. What information does this feature expose, and for what purposes?
+
+None.
+
+> 2. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality?
+
+Yes.
+
+> 3. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either?
+
+No.
+
+> 4. How do the features in your specification deal with sensitive information?
+
+They do not.
+
+> 5. Does data exposed by your specification carry related but distinct information that may not be obvious to users?
+
+No.
+
+> 6. Do the features in your specification introduce state that persists across browsing sessions?
+
+No.
+
+> 7. Do the features in your specification expose information about the underlying platform to origins?
+
+No.
+
+8. Does this specification allow an origin to send data to the underlying platform?
+
+No.
+
+> 9. Do features in this specification enable access to device sensors?
+
+No.
+
+> 10. Do features in this specification enable new script execution/loading mechanisms?
+
+Not really; it allows existing mechanisms (i.e., iframes which contain script) to work in contexts where they were previously delayed from executing.
+
+> 11. Do features in this specification allow an origin to access other devices?
+
+No.
+
+> 12. Do features in this specification allow an origin some measure of control over a user agent's native UI?
+
+No.
+
+> 13. What temporary identifiers do the features in this specification create or expose to the web?
+
+None.
+
+> 14. How does this specification distinguish between behavior in first-party and third-party contexts?
+
+This feature can only be used by top-level pages, not by embedded third parties.
+
+> 15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
+
+The same as in normal mode.
+
+> 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
+
+Yes, and the [explainer](./prerendering-cross-origin-iframes.md#privacy-considerations) has specific discussion.
+
+> 17. Do features in your specification enable origins to downgrade default security protections?
+
+No. (The delayed loading of cross-origin iframes while prerendering is not a security protection.)
+
+> 18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document?
+
+This isn't applicable, as prerendered pages cannot be kept in BFCache.
+
+> 19. What happens when a document that uses your feature gets disconnected?
+
+This isn't applicable, as prerendered pages cannot be included in iframes that get disconnected.
+
+> 20. Does your spec define when and how new kinds of errors should be raised?
+
+No new errors are raised.
+
+> 21. Does your feature allow sites to learn about the user's use of assistive technology?
+
+No.
+
+> 22. What should this questionnaire have asked?
+
+Probably something about "how does this all interact with storage partitioning".