Currently, all insts are loaded from the same "VM origin". This can be configured, but generally it is the same as the origin of the website that CasualOS is loaded from. When using STATIC_REPO_LOCAL_PERSISTENCE = "true", this causes a security concern because all the inst data is stored in IndexedDb, which would then the available to other insts because IndexedDb is itself available inside web workers.
This task is to track work so that VM_ORIGIN can be set to a string that contains placeholders like: {inst}.{recordName}.example.com which would be filled in with the respective values: great-coffee-bear.myRecord.example.com. This would force the Same Origin Policy to restrict access between inst data.
Currently, all insts are loaded from the same "VM origin". This can be configured, but generally it is the same as the origin of the website that CasualOS is loaded from. When using
STATIC_REPO_LOCAL_PERSISTENCE = "true", this causes a security concern because all the inst data is stored in IndexedDb, which would then the available to other insts because IndexedDb is itself available inside web workers.This task is to track work so that
VM_ORIGINcan be set to a string that contains placeholders like:{inst}.{recordName}.example.comwhich would be filled in with the respective values:great-coffee-bear.myRecord.example.com. This would force the Same Origin Policy to restrict access between inst data.