If you build websites, you inevitably run into problems. Maybe there’s no way to achieve an aspect of your design using CSS. Or maybe there’s a device feature you really wish you could tap into using JavaScript. Or perhaps the in-browser DevTools don’t give you a key insight you need to do your job. We want to hear about it!
title: Web apps to be able to control child same origin realms
date: 2023-04-30T07:16:28.607Z
submitter: Gal weizman
number: 644e15ccdfe08c025b38c488
tags: [ ]
discussion: https://github.com/WebWeWant/webwewant.fyi/discussions/
status: [ discussing || in-progress || complete ]
related:
At MetaMask (and other places throughout my career) we develop advanced in-browser runtime security tools, that enforce protection to the website using all sorts of techniques. Unfortunately, many of those techniques can easily be bypassed by attackers by carrying out attacks through realms. For example, the monkey patching protection technique only applies to the realm you applied it to, which means it won’t apply by default to a new iframe.
We believe web apps should be able to register arbitrary code to execute first on every new same origin realm in the app, similar to how extensions can already register such code to all realms of a website. An app should be granted power over the realms in itself, it only makes sense.
For reference, we already build on top of such technology to enhance our app protection, in the form of a js shim - https://github.com/lavamoat/snow.
aarongustafson
commented
1 year ago
title: Web apps to be able to control child same origin realms date: 2023-04-30T07:16:28.607Z submitter: Gal weizman number: 644e15ccdfe08c025b38c488 tags: [ ] discussion: https://github.com/WebWeWant/webwewant.fyi/discussions/ status: [ discussing || in-progress || complete ] related:
title: url: type: [ article || explainer || draft || spec || note || discussion ]
At MetaMask (and other places throughout my career) we develop advanced in-browser runtime security tools, that enforce protection to the website using all sorts of techniques. Unfortunately, many of those techniques can easily be bypassed by attackers by carrying out attacks through realms. For example, the monkey patching protection technique only applies to the realm you applied it to, which means it won’t apply by default to a new iframe. We believe web apps should be able to register arbitrary code to execute first on every new same origin realm in the app, similar to how extensions can already register such code to all realms of a website. An app should be granted power over the realms in itself, it only makes sense. For reference, we already build on top of such technology to enhance our app protection, in the form of a js shim - https://github.com/lavamoat/snow.
If posted, this will appear at https://webwewant.fyi/wants/644e15ccdfe08c025b38c488/