Google Support provides iFramed support experiences across Google products (Accounts, Blogger, Flights, Maps, YouTube, etc.). The authentication cookies are sent to the iFrame domain which are used to provide a more personalized support experience and to provide an option for users to attach their account information in Feedback reports and support tickets.

On Firefox 118 (and below) and Safari, when the user first authorizes access to allow “google.com” to use cookies from “youtube.com” (or other Google products hosted outside google.com and its subdomains), the iFrame window is reloaded to pass on the auth cookie to the server and request headers. This access is granted for google.com iFrames (even in the nested google.com iFrames within the support experience) so additional reload of the iFrame is not needed if the permission is auto-granted.

In contrast, on Chrome and Firefox 121+, we are required to reload all iFrames (even nested iFrames) when the frame is auto-granted access. When requestStorageAccess (rSA) is called, it grants the access for the iFrame but would require a reload of that frame to pass the auth cookies to the server. The support help panel has several nested iFrames which all require the same behavior as well. This results in increased server load (loading 2x / iFrame) and increased latency to when the user can access the support experience. Furthermore, the support iFrames are created and destroyed when the user opens/closes the frame. That means any time the user opens it again, we would have to load the contents twice.

Similarly, Country Code Top-Level Domains (CCTLDs) are also considered part of the Related Website Set (RWS) which has an rSA auto-grant; however, auto-grants have the above issue. That means the scope of the impact is drastically increased (google.co.jp, google.co.in, etc.) since it is considered outside the google.com domain.

The ideal solution would be to have a way to mitigate the reloads. One proposal is for the browser to recognize that the iFrame src has storage access to the parent page, then the browser can auto-grant access and pass the authentication cookies during the first iFrame load without requiring requestStorageAccess call.