-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP not a strong enough mechanizm for RIC implementation? #10
Comments
Actually, maybe that makes sense, and maybe what I remembered was how same origin realms that do not load remote resources (e.g. |
Duplicate of #14? Frames or popups that load a network resource would have their own CSP evaluated. Also the src of these can be controlled by the |
Not really though (on the practical level). One of the biggest issues we had with Snow (that applies here as well) is how there's always a SO resource that doesn't follow the general CSP of the app, especially when it's not an HTML resource. For example, x.com (which forbids And that's true to most modern web apps. AND - I want RIC to solve this issue without requiring web apps to adjust their CSP servings (not because they shouldn't, but because it would take a lot of work thus they practically will never do so), so the question is how and whether it's possible given this behaviour? |
One approach could be avoid riding the CSP mechanizm for applying the RIC script, and instead ride the internal mechanizm in browsers that constructs the WindowProxy object every time it reloads (iframe dom reposition, iframe/popup src relocation, etc) Because that phase is very deterministic in telling when the WindowProxy should be reconstructed, and whether it represents an XO or a SO realm to top. |
This issue remains open for now given how it isn't addressed by #22 due to how it requires some further investigation |
I was sure CSP trickles down very strongly to child realms, but this resource seems to show otherwise (resource)?
This requires further investigation
The text was updated successfully, but these errors were encountered: