If you build websites, you inevitably run into problems. Maybe there’s no way to achieve an aspect of your design using CSS. Or maybe there’s a device feature you really wish you could tap into using JavaScript. Or perhaps the in-browser DevTools don’t give you a key insight you need to do your job. We want to hear about it!
title: Web apps to be able to control child same origin realms
date: 2023-04-30T07:16:58.427Z
submitter: Gal weizman
number: 644e15ea04c75100768d4a99
tags: [ ]
discussion: https://github.com/WebWeWant/webwewant.fyi/discussions/
status: [ discussing || in-progress || complete ]
related:
At MetaMask (and other places throughout my career) we develop advanced in-browser runtime security tools, that enforce protection to the website using all sorts of techniques. Unfortunately, many of those techniques can easily be bypassed by attackers by carrying out attacks through realms. For example, the monkey patching protection technique only applies to the realm you applied it to, which means it won’t apply by default to a new iframe.
We believe web apps should be able to register arbitrary code to execute first on every new same origin realm in the app, similar to how extensions can already register such code to all realms of a website. An app should be granted power over the realms in itself, it only makes sense.
For reference, we already build on top of such technology to enhance our app protection, in the form of a js shim - https://github.com/lavamoat/snow.
title: Web apps to be able to control child same origin realms date: 2023-04-30T07:16:58.427Z submitter: Gal weizman number: 644e15ea04c75100768d4a99 tags: [ ] discussion: https://github.com/WebWeWant/webwewant.fyi/discussions/ status: [ discussing || in-progress || complete ] related:
title: url: type: [ article || explainer || draft || spec || note || discussion ]
At MetaMask (and other places throughout my career) we develop advanced in-browser runtime security tools, that enforce protection to the website using all sorts of techniques. Unfortunately, many of those techniques can easily be bypassed by attackers by carrying out attacks through realms. For example, the monkey patching protection technique only applies to the realm you applied it to, which means it won’t apply by default to a new iframe. We believe web apps should be able to register arbitrary code to execute first on every new same origin realm in the app, similar to how extensions can already register such code to all realms of a website. An app should be granted power over the realms in itself, it only makes sense. For reference, we already build on top of such technology to enhance our app protection, in the form of a js shim - https://github.com/lavamoat/snow.
If posted, this will appear at https://webwewant.fyi/wants/644e15ea04c75100768d4a99/