weizman
commented
1 month ago If an app chose to make use of the RIC directive, then it made a choice to run that script in all realms by design. Therefore, it made a choice to apply its restrictions upon your iframe too.
While they're expected to be cautious with such power and run safe code that won't harm yours, they're entitled of doing so, which is the power balance this proposal attempts to restore.
This is of course solvable, since they write the code, they can at any point update it to exclude your iframe:
// Content-Security-Policy: "realm-init: /scripts/on-new-same-origin-realm.js"
if (shouldIframeBeExcluded(window)) stop-running;But this proposal shouldn't focus on implementing a builtin mechanizm for telling whether a realm should be excluded or not securely, as it would introduce quit an overhead in complexity for a not well justified use case.
rwaldron
Let's say I have a large platform application that allows different orgs to deploy their own custom components to be run only for that org's account on my platform, and I'm going to run all of that code in a child realm. If my pages load with:
Does that mean that all iframes created will all be subject to whatever is written in
scripts/on-new-same-origin-realm.js? I can't see a way for my application to decide which realms should have this realm-init policy applied.