Open weizman opened 2 weeks ago
Are you planning to, or have you talked to WebAppSec and TC39 about this feature?
Sure did, the community was rather interested in solving this issue as well as in the manner suggested:
(edit: as well as accepted to the WICG of course)
Is there any other information I can provide to assist you @jyasskin?
Sorry for dropping this. Secure the Web Forward isn't either of WebAppSec or TC39. Do you need introductions into those communities? I'm inclined to think that this is reasonable, but those communities have the deep expertise to notice risks or smoother ways to do this.
こんにちは TAG-さん!
I'm requesting a TAG review of Realms Initialization Control.
Initialization of same origin realms in an application should be under that application's control.
This proposal describes an opt-in capability to set a script to be loaded first, every time a same origin realm with synchronous access to the main execution environment of the application is created.
The location of the script can be relative or absolute. Secure connection is required. The proposed method for setting the script is a Content Security Policy directive as follows:
Content-Security-Policy: "realm-init: /scripts/on-new-same-origin-realm.js"
so that theon-new-same-origin-realm.js
script will execute before any other JavaScript code executes in the top realm execution environment, as well as any other child realm that matches its origin.Further details: