(You can ignore the confidentiality notice in that last message.)

On Wednesday, August 28, 2024 at 2:49:53 AM UTC-7 Chromestatus wrote:

Contact emails weizm...@gmail.com, yoav....@shopify.com 

Explainer https://github.com/WICG/Realms-Initialization-Control 

Specification https://github.com/WICG/Realms-Initialization-Control 

Summary 

Support a new CSP directive which points to a remote (first party) script 
file to be loaded before any other JavaScript code within every child realm 
that shares an origin with the top realm of a website (such as same origin 
iframes and popups). This allows websites to regain control over which 
capabilities such a realm exposes to untrusted entities living within the 
website and thus allow them to tame and control it. 


Blink component Blink 
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> 

Motivation 

The web is a great platform for creating composable software, but not to do 
so securely - the environment and the APIs available make it extremely 
difficult for applications to contain a program without having to trust it, 
especially when interacting with the DOM. Unfortunately, securing a supply 
chain - telling good code from bad code within the dependencies from which 
an application is composed - is very hard. This is evident by the 
prevalence of services focused on detecting threats both before they get 
baked into an application (at build-time) and while being executed on the 
fly (at runtime). One way to approach this problem at runtime is by 
virtualization - redefining JavaScript capabilities (commonly known as 
monkey patching) to behave similarly while hardening them to limit how they 
can be used. However, due to some characteristics of how the web is 
designed, there are some major blockers in fully unleashing the power of 
virtualization in favor of introducing runtime security. One of those 
blockers is the lack of control web applications have over safe 
introduction of same origin realms into their execution environment at 
runtime. The motivation behind this proposal is to remove this blocker by 
providing developers a way to control the initialization of same origin 
realms to tame access to powerful capabilities those leak.


Initial public proposal 
https://github.com/WICG/Realms-Initialization-Control 

TAG review None 

TAG review status Pending 

Risks 


Interoperability and Compatibility 

None


*Gecko*: No signal 

*WebKit*: No signal 

*Web developers*: No signals 

*Other signals*: 

WebView application risks 

Does this intent deprecate or change behavior of existing APIs, such that 
it has potentially high risk for Android WebView-based applications?

None


Debuggability 

None


Is this feature fully tested by web-platform-tests 
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
? No 

Flag name on chrome://flags None 

Finch feature name None 

Non-finch justification None 

Requires code in //chrome? True 

Estimated milestones 

No milestones specified


Link to entry on the Chrome Platform Status 
https://chromestatus.com/feature/5080729822953472?gate=5143912415756288 

This intent message was generated by Chrome Platform Status 
<https://chromestatus.com>. 

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ad1866a5-6cc3-426c-bf31-a185f018580en%40chromium.org.

Reply via email to