Request Storage access Page Security model

[jagadeeshaby]

Customers are allowed (frame ancestor) to use our SASS application embedded in their website after the successful login ( SSO integration), with the 3p cookie deprecation our plan is to make use of RSA and allow access to login cookies, to make this happen i see that chrome expects a explicit interaction with the embedded page ( example click ). what's the recommended approach to build such embedded page where customer could click and request access?

At the moment , it seems like i need to have a non logged in page embedded to conditionally show the button to grant access or take them to application. i presume this comes with a potential click jacking risk as we do not have the allow listed origins to populate as customer hasn't logged in yet.

Any suggestions here?

[jagadeeshaby]

at the moment i do not see an actual risk in enabling RSA page to be embeddable by all, but wanted to understand if there are better guidelines on this line

[johannhof]

Hey @jagadeeshaby, is your potential concern that a user could be tricked into interacting with the button that shows the SAA prompt in the iframe? That seems possible in theory, though the capabilities that would be exposed to an attacker would be extremely limited (even assuming that the user then proceeds to accept the following prompt), since this would only give 3P cookie access to the requesting iframe. There are some hypothetical attacks and leaks that would be possible in such a scenario as outlined in Chrome's security analysis of SAA, which also led to some crucial improvements.

Despite these improvements, if you expose an iframe using SAA in a way that allows embedding by any site on the web and also might allow for clickjacking, you should definitely follow best practices against cross-site attacks such as proper usage of SameSite cookies, CSRF protection, etc.

It may be worth mentioning this in the spec's security considerations.