Contact emails weizman...@gmail.com, yoav.we...@shopify.com
Explainer https://github.com/WICG/Realms-Initialization-Control Specification https://github.com/WICG/Realms-Initialization-Control Summary Support a new CSP directive which points to a remote (first party) script file to be loaded before any other JavaScript code within every child realm that shares an origin with the top realm of a website (such as same origin iframes and popups). This allows websites to regain control over which capabilities such a realm exposes to untrusted entities living within the website and thus allow them to tame and control it. Blink component Blink Motivation The web is a great platform for creating composable software, but not to do so securely - the environment and the APIs available make it extremely difficult for applications to contain a program without having to trust it, especially when interacting with the DOM. Unfortunately, securing a supply chain - telling good code from bad code within the dependencies from which an application is composed - is very hard. This is evident by the prevalence of services focused on detecting threats both before they get baked into an application (at build-time) and while being executed on the fly (at runtime). One way to approach this problem at runtime is by virtualization - redefining JavaScript capabilities (commonly known as monkey patching) to behave similarly while hardening them to limit how they can be used. However, due to some characteristics of how the web is designed, there are some major blockers in fully unleashing the power of virtualization in favor of introducing runtime security. One of those blockers is the lack of control web applications have over safe introduction of same origin realms into their execution environment at runtime. The motivation behind this proposal is to remove this blocker by providing developers a way to control the initialization of same origin realms to tame access to powerful capabilities those leak. Initial public proposal https://github.com/WICG/Realms-Initialization-Control TAG review None TAG review status Pending Risks Interoperability and Compatibility None Gecko: No signal WebKit: No signal Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests? No Flag name on chrome://flags None Finch feature name None Non-finch justification None Requires code in //chrome? True Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5080729822953472?gate=5143912415756288 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/0000000000000956910620bb477e%40google.com.
