How would about:blank work?

WICG / Realms-Initialization-Control

Introduce security controls to same origin realms in web applications

MIT License

15 stars 0 forks source link

How would about:blank work? #32

Closed simon-friedberger closed 2 months ago

simon-friedberger commented 2 months ago

Give web applications control over all realms that fall under their origin - regardless of the APIs used to create the new realm and edge-cases like about:blank.

I'm not sure what this is getting at. There is no JS running on about:blank, right?

NDevTK commented 2 months ago

By default no, however about:blank inherits from its initiator

Inject code via same-origin window reference
Its possible to do open("javascript:'foo'") to inject content on about:blank
A browser extension can inject code

simon-friedberger commented 2 months ago

I would be worth clarify this in the proposal. The connection between "every realm should be governed by RIC" and "about:blank" special cases is not totally clear. Just enumerating as many ways of creating a realm as possible and how it might be covered would be useful.