Extract actionable items from @lknik's review

[marcoscaceres]

There are a few actionable items from @lknik's review that we should fix:
https://blog.lukaszolejnik.com/privacy-of-web-request-api/

We should review the article and extract actionable things that we can fix (specially around iframes, which @lknik shows are pretty easy to bypass).

I believe this is related:
#629

[ianbjacobs]

Thank you @lknik and @marcoscaceres. One idea occurred to me upon reading the piece:
extend rate limiting to cover both the "parent origin" and any parent/child (included script)
pairs. I don't know if that's what implementations do today.

A script could be included by multiple parents which is why I thought of rate limiting the pairs (as part of rate limiting the parent).

I've added this topic to our FTF agenda.

Ian

[lknik]

Yeah, thought of a similar solution (quota on effective top-level context/domain). Then again, what about CORS or other hacks?

[marcoscaceres]

closing, as priv/sec review are complete.