Closed Jack-Works closed 2 years ago
We certainly won’t do anything with web API’s in Lockdown, but outside of SES, it would be expensive but reasonable to construct “attenuations” of web API’s, on a case-by-case basis. Taming the DOM has been attempted multiple times and proved…expensive. My stance for now is that taming the DOM is not a reasonable objective. Creating a tame virtual DOM for a specific framework is more achievable. Creating bespoke hardened controller API’s for specific interactions with UI is practical in the short term, where UI’s are still largely guarded by same-origin-policy and single-tenancy. UI’s can still communicate with eventual-send to external multi-tenant agents.
Closing for tracking purposes, but this is still a good anchor for this conversation.
I wonder if there is any plan to add a new API to lockdown entire Web APIs? I tried the following code and it works sometimes 🤔