Currently, to allow DeviceMotion and DeviceOrientation Event API to be able to access sensors (which are provided by generic sensor) in cross-origin iframes, there is no cross-origin iframe check at SensorPermissionContext class. 

We may need to add cross-origin iframes check at SensorPermissionContext class when we can grant permission for certain sensor types. SensorPermissionContext::GetPermissionStatusInternal() function doesn't have any information of which sensor type requests permission.

The Generic Sensor API is not allowed in cross-origin iframes and this is enforced by the renderer.

This is from the comments at:
https://chromium-review.googlesource.com/c/chromium/src/+/767549