You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Web apps to be able to control child same origin realms
date: 2023-04-30T07:16:58.427Z
submitter: Gal weizman
number: 644e15ea04c75100768d4a99
tags: [ ]
discussion: https://github.com/WebWeWant/webwewant.fyi/discussions/
status: [ discussing || in-progress || complete ]
related:
At MetaMask (and other places throughout my career) we develop advanced in-browser runtime security tools, that enforce protection to the website using all sorts of techniques. Unfortunately, many of those techniques can easily be bypassed by attackers by carrying out attacks through realms. For example, the monkey patching protection technique only applies to the realm you applied it to, which means it won’t apply by default to a new iframe.
We believe web apps should be able to register arbitrary code to execute first on every new same origin realm in the app, similar to how extensions can already register such code to all realms of a website. An app should be granted power over the realms in itself, it only makes sense.
For reference, we already build on top of such technology to enhance our app protection, in the form of a js shim - https://github.com/lavamoat/snow.
title: Web apps to be able to control child same origin realms
date: 2023-04-30T07:16:58.427Z
submitter: Gal weizman
number: 644e15ea04c75100768d4a99
tags: [ ]
discussion: https://github.com/WebWeWant/webwewant.fyi/discussions/
status: [ discussing || in-progress || complete ]
related:
url:
type: [ article || explainer || draft || spec || note || discussion ]
At MetaMask (and other places throughout my career) we develop advanced in-browser runtime security tools, that enforce protection to the website using all sorts of techniques. Unfortunately, many of those techniques can easily be bypassed by attackers by carrying out attacks through realms. For example, the monkey patching protection technique only applies to the realm you applied it to, which means it won’t apply by default to a new iframe.
We believe web apps should be able to register arbitrary code to execute first on every new same origin realm in the app, similar to how extensions can already register such code to all realms of a website. An app should be granted power over the realms in itself, it only makes sense.
For reference, we already build on top of such technology to enhance our app protection, in the form of a js shim - https://github.com/lavamoat/snow.
If posted, this will appear at https://webwewant.fyi/wants/644e15ea04c75100768d4a99/
The text was updated successfully, but these errors were encountered: