Realms Initialization Control

## Introduction

The proposal for **R**ealms **I**nitialization **C**ontrol (referred to as **RIC**) allows developers to securely tap into the creation moment of [same origin realms](https://github.com/weizman/Realms-Initialization-Control#Same-Origin-Realm) within their web application in order to tame and control them.

## Motivation

* JavaScript and the Web are well designed for building composed/composable software.
* However, to do so **securely**, there are still some major blockers to deal with.
* One of them being the [same origin concern](https://weizmangal.com/content/pdf/The%20same%20origin%20concern.pdf) where an app has no control over child same origin realms (`iframe`s, `tab`s, etc) within its execution environment.
* Having no control over such realms translates into not being able to virtualize runtime security in a truly safe manner ([example](https://github.com/weizman/Realms-Initialization-Control#motivation)).
* The **RIC** proposal focuses on providing developers with some way to control the initialization stage of same origin realms in order to be able to tame and control them.

## Goals

* Give web applications control over all realms that fall under their origin - regardless of the APIs used to create the new realm and edge-cases like `about:blank`.
* Make the control opt-in to avoid breaking the web.

The browser is already capable of enforcing rules on new realms before they become reachable, and it is where the [same origin concern](https://weizmangal.com/content/pdf/The%20same%20origin%20concern.pdf) should also be addressed.

## Proposal

Initialization of same origin realms in an application should be under that application's control.

This proposal describes an opt-in capability to set a script to be loaded first, everytime a same origin realm with synchronous access to the main execution environment of the application is created.

The location of the script can be relative or absolute. Secure connection is required.
The proposed method for setting the script is a Content Security Policy directive as follows:

```
Content-Security-Policy: "realm-init: /scripts/on-new-same-origin-realm.js"
```

## Resources

* This was already presented to the W3C web app sec work group: "JavaScript realms used to bypass and eliminate web apps security tools - A problem with a WIP solution" - https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

## Explainer

[Read the complete Explainer][explainer]. 

## Feedback

I welcome feedback in this thread, but encourage you to file bugs against [the Explainer][explainer].



[explainer]: https://github.com/weizman/Realms-Initialization-Control "Realms Initialization Control"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Realms Initialization Control #144

Introduction

Motivation

Goals

Proposal

Resources

Explainer

Feedback

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Realms Initialization Control #144

Description

Introduction

Motivation

Goals

Proposal

Resources

Explainer

Feedback

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions