Realms Initialization Control

weizman commented 7 months ago

Introduction

The proposal for Realms Initialization Control (referred to as RIC) allows developers to securely tap into the creation moment of same origin realms within their web application in order to tame and control them.

Motivation

JavaScript and the Web are well designed for building composed/composable software.
However, to do so securely, there are still some major blockers to deal with.
One of them being the same origin concern where an app has no control over child same origin realms (iframes, tabs, etc) within its execution environment.
Having no control over such realms translates into not being able to virtualize runtime security in a truly safe manner (example).
The RIC proposal focuses on providing developers with some way to control the initialization stage of same origin realms in order to be able to tame and control them.

Goals

Give web applications control over all realms that fall under their origin - regardless of the APIs used to create the new realm and edge-cases like about:blank.
Make the control opt-in to avoid breaking the web.

The browser is already capable of enforcing rules on new realms before they become reachable, and it is where the same origin concern should also be addressed.

Proposal

Initialization of same origin realms in an application should be under that application's control.

This proposal describes an opt-in capability to set a script to be loaded first, everytime a same origin realm with synchronous access to the main execution environment of the application is created.

The location of the script can be relative or absolute. Secure connection is required. The proposed method for setting the script is a Content Security Policy directive as follows:

Content-Security-Policy: "realm-init: /scripts/on-new-same-origin-realm.js"

Resources

This was already presented to the W3C web app sec work group: "JavaScript realms used to bypass and eliminate web apps security tools - A problem with a WIP solution" - https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Explainer

Read the complete Explainer.

Feedback

I welcome feedback in this thread, but encourage you to file bugs against the Explainer.

nicjansma commented 5 months ago

@weizman really cool idea here!

Akamai has a few products that could use something like this:

We have a real user monitoring (RUM) product that wraps a lot of top-level APIs for performance and error telemetry
We have bot management and security products that wrap APIs for protection and monitoring

If there was support for something like this added to the browser I'm sure we'd consider using it to harden our existing "patching" techniques.

weizman commented 5 months ago

As a former PerimeterX employee, I relate to literally 100% of what you wrote 😉 Let's do it @nicjansma! Could you please add this to the "usecases" issue on the explainer repo? After having some, I'll introduce all into the md document of the official explainer, could be really helpful 🙏🏻

yoavweiss commented 5 months ago

With my Shopify hat on, we are supportive of this effort and could make use of something of this nature in our various code sandboxes.

Switching hats to my (virtual) WICG co-chair one, this seems enough support for us to move the repo to the WICG org. Let's discuss details offline.

weizman commented 5 months ago

Awesome news @yoavweiss!

I would love to talk details with you on how to proceed, let's do that.
We would love to get more insights into your use case so it could be documented into the explainer. Could we add a small paragraph on shopify's use case for this in the "use cases" issue under the official explainer repo?

yoavweiss commented 5 months ago

The repo now lives at https://github.com/WICG/Realms-Initialization-Control Happy incubating!!

WICG / proposals