You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The proposal for Realms Initialization Control (referred to as RIC) allows developers to securely tap into the creation moment of same origin realms within their web application in order to tame and control them.
Motivation
JavaScript and the Web are well designed for building composed/composable software.
However, to do so securely, there are still some major blockers to deal with.
One of them being the same origin concern where an app has no control over child same origin realms (iframes, tabs, etc) within its execution environment.
Having no control over such realms translates into not being able to virtualize runtime security in a truly safe manner (example).
The RIC proposal focuses on providing developers with some way to control the initialization stage of same origin realms in order to be able to tame and control them.
Goals
Give web applications control over all realms that fall under their origin - regardless of the APIs used to create the new realm and edge-cases like about:blank.
Make the control opt-in to avoid breaking the web.
The browser is already capable of enforcing rules on new realms before they become reachable, and it is where the same origin concern should also be addressed.
Proposal
Initialization of same origin realms in an application should be under that application's control.
This proposal describes an opt-in capability to set a script to be loaded first, everytime a same origin realm with synchronous access to the main execution environment of the application is created.
The location of the script can be relative or absolute. Secure connection is required.
The proposed method for setting the script is a Content Security Policy directive as follows:
Introduction
The proposal for Realms Initialization Control (referred to as RIC) allows developers to securely tap into the creation moment of same origin realms within their web application in order to tame and control them.
Motivation
iframes,tabs, etc) within its execution environment.Goals
about:blank.The browser is already capable of enforcing rules on new realms before they become reachable, and it is where the same origin concern should also be addressed.
Proposal
Initialization of same origin realms in an application should be under that application's control.
This proposal describes an opt-in capability to set a script to be loaded first, everytime a same origin realm with synchronous access to the main execution environment of the application is created.
The location of the script can be relative or absolute. Secure connection is required.
The proposed method for setting the script is a Content Security Policy directive as follows:
Resources
Explainer
Read the complete Explainer.
Feedback
I welcome feedback in this thread, but encourage you to file bugs against the Explainer.
The text was updated successfully, but these errors were encountered: