[02:26:34] <Krinkle>	 bd808: postMessage will continue to allow comm between any two frames that don't specifically opt out of framing or postMessage, thus indeed a way to corporate despite CORS. Cookie isolation is a thing into its own though so short of First Party sets or the current Mozilla hard coded equiv, those iframes will effectively be cookieless, or more specially only see cookies set within the same key context. Eg foo.test embedding bar.test, 
[02:26:35] <Krinkle>	 will have bar.test only see cookies set in the foo.test+bar.test context. So for more purposes likely anonymous/not logged in.
[02:26:54] <Krinkle>	 (In the strict / future model)
[18:10:11] <bd808>	 Krinkle: thank you for giving me that explanation. I obviously need to learn more about the extent of the new anti-leak protections for cookies.