Should scroll margin be applied to cross-origin iframe? #531
Description
Given this situation: site A embeds a cross-origin-domain iframe B, which in turn embeds a same-origin-domain iframe C with the same domain as A. If a target in C sets up an implicit root intersection observer, the root is then site A, and the observer is same-origin-domain.
"To apply scroll margin to a scrollport" step says that the scroll margin is only applied for same-origin-domain targets:
These offsets are only applied when handling same-origin-domain targets; for cross-origin-domain targets they are ignored.
So in the given situation, scroll margin should be applied. But when computing the intersection, we'll apply the scroll margin to the cross-origin-domain iframe B. This doesn't seem like the desirable behavior.
In the discussion about adding scroll margin, there's a note about not applying scroll margin to iframes:
Implementation notes:
- [...]
- Should stop margins at a cross-origin iframe boundary for security
So maybe the spec is just not updated to include this point?