MicrosoftEdge
[PerformanceControlOfEmbeddedContent] Reporting may leak state cross-document
From Web Performance Working Group discussion:
This can potentially leak the behavior of embedded content: if someone puts password and it's wrong, and it loads a large image, it gets reported and the main frame will know. We need to address this.
[...] it gets reported and the main frame will know.
This is only a risk if the violation is reported cross-document, if we enable that somehow. Other policy-based mechanisms (e.g., sandboxing, CSP) have enforcement while reporting only to the document where the violation occurs. The difference with Document Policy is that the embedded document has the option to negotiate the policy. If the policy is rejected, the frame won't load.
From the discussion in Web Perf WG, because the policy is opt-in, the embedded document accepts the risks. In that case, it might be more a question of incentive: why would the embedded document accept a policy which could expose state and behavior to the embedding document through violation reports when it may not know who the embedder is? The idea is that if a document wants to be loaded in the context of a meta-platform embedder, they'd need to opt into the policy (see #1066). But it might be worth considering how the embedded document would know the scenario where it's getting embedded, and whether potential state exposure is a reasonable trade-off for getting loaded.
Detailing what kind of information would be reported seems also important here. Depending on that, it might be difficult for embedded resources to assess the risk of opting in in general, and a per-embedder-origin or per-report-endpoint opt in could be a stronger signal.
