Removes a special treatment for same-origin iframes from CSP Embedded Enforcement. This aligns the behavior of enforcing CSP Embedded Enforcement for cross-origin iframes and same-origin iframes.
The same-origin blanket enforcement logic specific to same-origin iframes exposes a new way to block certain resources from loading in the iframe. This allowed attacks which were not possible before (example[1]). Additionally, this caused a bug[2] where CSP nonce value enforced by CSPEE from a top frame had to exactly match nonce value served in grand-child frame, if the top frame and child frame are cross-origin, but child frame and grand-child frame are same-origin. Given this part of blanket enforcement is rarely used (~0.000017%[3]), let's remove this logic. [1] https://github.com/google/google-ctf/tree/master/2023/quals/web-biohazard/solution#reviving-xss-auditor-primitive [2] https://github.com/w3c/webappsec-cspee/issues/26 [3] https://chromestatus.com/metrics/feature/timeline/popularity/4599