Hi there, I'm an independent contributor interested in this feature.
I'm really eager to get involved with the implementation of it or contribute in other ways. Could you please tell me if it's possible? I've just fixed a few bugs for Blink and I might not fully understand all the rules about "Intent to" yet. If it's not possible at this point, could you guide me on how I could get involved in the implementation of new features like this in the future? Any advice would be greatly appreciated :) On Thursday, August 29, 2024 at 1:41:20 AM UTC+9 Gal Weizman wrote: > Correction: "Requires code in //chrome?" is False, not True (my mistake) > > On Wednesday 28 August 2024 at 12:49:53 UTC+3 Chromestatus wrote: > > Contact emails weizm...@gmail.com, yoav....@shopify.com > > Explainer https://github.com/WICG/Realms-Initialization-Control > > Specification https://github.com/WICG/Realms-Initialization-Control > > Summary > > Support a new CSP directive which points to a remote (first party) script > file to be loaded before any other JavaScript code within every child realm > that shares an origin with the top realm of a website (such as same origin > iframes and popups). This allows websites to regain control over which > capabilities such a realm exposes to untrusted entities living within the > website and thus allow them to tame and control it. > > > Blink component Blink > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> > > Motivation > > The web is a great platform for creating composable software, but not to > do so securely - the environment and the APIs available make it extremely > difficult for applications to contain a program without having to trust it, > especially when interacting with the DOM. Unfortunately, securing a supply > chain - telling good code from bad code within the dependencies from which > an application is composed - is very hard. This is evident by the > prevalence of services focused on detecting threats both before they get > baked into an application (at build-time) and while being executed on the > fly (at runtime). One way to approach this problem at runtime is by > virtualization - redefining JavaScript capabilities (commonly known as > monkey patching) to behave similarly while hardening them to limit how they > can be used. However, due to some characteristics of how the web is > designed, there are some major blockers in fully unleashing the power of > virtualization in favor of introducing runtime security. One of those > blockers is the lack of control web applications have over safe > introduction of same origin realms into their execution environment at > runtime. The motivation behind this proposal is to remove this blocker by > providing developers a way to control the initialization of same origin > realms to tame access to powerful capabilities those leak. > > > Initial public proposal > https://github.com/WICG/Realms-Initialization-Control > > TAG review None > > TAG review status Pending > > Risks > > > Interoperability and Compatibility > > None > > > *Gecko*: No signal > > *WebKit*: No signal > > *Web developers*: No signals > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? No > > Flag name on chrome://flags None > > Finch feature name None > > Non-finch justification None > > Requires code in //chrome? False > > > > Estimated milestones > > No milestones specified > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5080729822953472?gate=5143912415756288 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com>. > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/480e2439-5c44-45ec-b7a4-67399d5d937fn%40chromium.org.
