Intent to Prototype: Realms Initialization Control

356 views
Skip to first unread message

Chromestatus

unread,
Aug 28, 2024, 5:49:53 AMAug 28
to blin...@chromium.org, weizm...@gmail.com, yoav....@shopify.com

Contact emails

weizm...@gmail.com, yoav....@shopify.com

Explainer

https://github.com/WICG/Realms-Initialization-Control

Specification

https://github.com/WICG/Realms-Initialization-Control

Summary

Support a new CSP directive which points to a remote (first party) script file to be loaded before any other JavaScript code within every child realm that shares an origin with the top realm of a website (such as same origin iframes and popups). This allows websites to regain control over which capabilities such a realm exposes to untrusted entities living within the website and thus allow them to tame and control it.



Blink component

Blink

Motivation

The web is a great platform for creating composable software, but not to do so securely - the environment and the APIs available make it extremely difficult for applications to contain a program without having to trust it, especially when interacting with the DOM. Unfortunately, securing a supply chain - telling good code from bad code within the dependencies from which an application is composed - is very hard. This is evident by the prevalence of services focused on detecting threats both before they get baked into an application (at build-time) and while being executed on the fly (at runtime). One way to approach this problem at runtime is by virtualization - redefining JavaScript capabilities (commonly known as monkey patching) to behave similarly while hardening them to limit how they can be used. However, due to some characteristics of how the web is designed, there are some major blockers in fully unleashing the power of virtualization in favor of introducing runtime security. One of those blockers is the lack of control web applications have over safe introduction of same origin realms into their execution environment at runtime. The motivation behind this proposal is to remove this blocker by providing developers a way to control the initialization of same origin realms to tame access to powerful capabilities those leak.



Initial public proposal

https://github.com/WICG/Realms-Initialization-Control

TAG review

None

TAG review status

Pending

Risks



Interoperability and Compatibility

None



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

No

Flag name on chrome://flags

None

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

True

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5080729822953472?gate=5143912415756288

This intent message was generated by Chrome Platform Status.

Gal Weizman

unread,
Aug 28, 2024, 12:41:20 PMAug 28
to blink-dev, Chromestatus, weizm...@gmail.com, yoav....@shopify.com
Correction: "Requires code in //chrome?" is False, not True (my mistake)

Requires code in //chrome? False

Kanaru Sato

unread,
Aug 29, 2024, 9:53:28 AMAug 29
to blink-dev, Gal Weizman, Chromestatus, yoav....@shopify.com
Hi there,

I'm an independent contributor interested in this feature.

I'm really eager to get involved with the implementation of it or contribute in other ways.
Could you please tell me if it's possible? I've just fixed a few bugs for Blink and I might not fully understand all the rules about "Intent to" yet.

If it's not possible at this point, could you guide me on how I could get involved in the implementation of new features like this in the future?
Any advice would be greatly appreciated :)

Kanaru Sato

unread,
Aug 29, 2024, 9:53:28 AMAug 29
to blink-dev, Gal Weizman, Chromestatus, yoav....@shopify.com
Hi there,

I'm an independent contributor interested in this feature.

I'm really eager to get involved with the implementation of the feature or contribute in other ways.
Could you please tell me if it's possible?
I've just fixed few bugs for Blink, and I might not fully understand all the rules about "Intent to" yet.

If it's not possible at this point, could you please guide me on how I could get involved in the implementation of new features like this in the future?
Any advice would be greatly appreciated :)
On Thursday, August 29, 2024 at 1:41:20 AM UTC+9 Gal Weizman wrote:

Eli Grey

unread,
Aug 29, 2024, 7:03:49 PMAug 29
to blink-dev, Kanaru Sato, Gal Weizman, Chromestatus, yoav....@shopify.com
It would be great if this API could cover all same-origin realm creation sources, including workers and worklets, if possible. That enables much more comprehensive use cases with less unexpected behavior for web content authors.
This email may be confidential or privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it went to the wrong person. Thanks.

Eli Grey

unread,
Aug 30, 2024, 11:12:20 AMAug 30
to blink-dev, Chromestatus, weizm...@gmail.com, yoav....@shopify.com
(You can ignore the confidentiality notice in that last message.)
Reply all
Reply to author
Forward
0 new messages