We should not automatically grant storage access to cross-origin iframes without first party user interaction. However, automatically denying seems too extreme given that the website is forced to show users weird a interstitial then. A compromise would be to always prompt in this case. Note that combined with bug 1680844 this would mean that the 3rd party can then obtain first party user interaction when the user confirms the permission prompt.
Bug 1680846 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
We should not automatically grant storage access to cross-origin iframes without first party user interaction. However, automatically denying seems too extreme given that the website is forced to show users a weird interstitial then. A compromise would be to always prompt in this case. Note that combined with bug 1680844 this would mean that the 3rd party can then obtain first party user interaction when the user confirms the permission prompt.