►
From YouTube: SES-mtg: Confining an iframe
Description
Recorded from the "SES Strategy" meeting on Jan 24, 2019.
Caja consisted of two main parts: Domado, for securing/virtualizing the browser APIs, and SES, for securing JavaScript. Securing the html4 browser API and ES3 were both horrendously difficult. Changes to JavaScript made securing it easy. Changes to the browser have only made the Domado problem worse. What could be changed about the browser to make Domado-level security easy?
B
So
the
browser
Dom
API
is
a
hellacious
API
to
wrap
and
attenuate
and
with
a
little
bit
of
help
from
the
browser,
we
could
do
a
lot
better
and
the
observation
from
Kevin
Reid
is
that
if
we
could
for
a
given
iframe
intercept
all
of
the
network
requests
that
were
provoked
from
interacting
with
the
Dom
in
that
iframe.
If
we
could
do
that,
then
that
combined
with
the
other
programming
techniques
that
caja
did
as
part
of
D'amato
that
were
not
hellacious,
combined
also
with
the
trick
from
jasbeer,
which
I'll
explain.
B
If
we
can
intercept
all
of
the
network
traffic,
then
the
rest
of
it
becomes
a
reasonable
effort.
The
browser
specs
have
been
refactored
since
then,
so
that
all
of
that
network
traffic
goes
through
an
internal
fetch
procedure
that
internal
fetch
procedure
was
in
turn
used
to
enable
traffic
to
be
intercepted
by
service
workers,
but
service
workers
were
not
designed
to
be
used
as
an
enforcement
mechanism.
So
so
so.
C
C
B
A
Yeah,
so
so
it's
really
like
I'm,
not
sure
about
what
the
building
blocks
were
to
get
to
serviceworkers,
but
definitely
caching,
an
alternative
to
a
bad
cache
or
application.
Cache
was
was
being
you
know,
viewed
as
a
priority,
and
so
the
idea
for
service
workers
was
really
to
give
you
this
thing
that
what
your
webpage
will
install
and
basically
it's
it.
It
creates
a
JavaScript
spread
that
is
separate
from
your
page
and
you
know
like
really
separate,
like
more
a
loop
than
a
normal
worker
and
it's
kind
of
like
a
shared
worker.
A
The
idea
was
that
when
you
visit
a
page,
it
calls
certain
api's
on
that
page
on
the
first
desert,
install
this
script
as
a
service
worker
and
then
have
it
activated
and
once
activated
it
can
claim
whatever
pages
that
install
it.
Only
at
that
point
do
network
requests
that
actually
start
with
the
scope
URL,
which
can
only
be
the
the
parent,
folder
I
believe
of
the
page
or
a
subfolder.
A
There
is
one
approach
that
actually
involves
an
iframe
that
I've
been
using
to
guard
against.
All
of
that-
and
it
starts
by
actually
caching,
an
iframe
page
in
some
browsers,
you're
able
to
immediately
load
that
inside
the
iframe
and
since
it's
loaded
from
the
sculpt
URL,
it
isn't
active,
go
to
URL
it
installs
the
serviceworker,
which
is
already
there,
and
then
you
know
any
any
requests
to
that
Scottie
or
Ella
or
actually
captured.
A
You
can
use
hacks
like
grading
a
query
for
external
URLs,
so
they
actually
go
through
the
scope
URL
as
a
query
on
a
request,
but
but
these
are
all
things
that
you're
hoping
that
they
actually
work
the
same
across
all
browsers.
At
the
end
of
the
day,
it
is
not
really
meant
to
intercept
network
traffic.
An
API
like
Chrome's
requests,
API
I,
think
is
more
intentional
in
that
regard.
But
then
again
it's
not
like
a
standard.
It's
really
like
an
additional
Chrome.
You
know
that
API,
so
yeah
I,
don't
know.
A
B
A
B
The
idea
that
the
serviceworker
is
kind
of
a
little
web
server
embedded
in
the
browser,
I
think
is
it
is
in
fact
the
way
this
is
stuff
is
thought
of.
I
also
mention
a
historic
regret,
which
is
that
back
in
the
HTML
4
days,
there
was
this
very
clean.
Conceptual
separation
between
the
browser
is
for
ephemeral,
user
interaction
and
the
server
is
for
persistent
semantic
state,
and
you
know
the
browser
pages
on
the
user
can
always
just
hit
reload
on
it.
B
So
html5
ended
up
completely
reinventing
a
new
approach,
new
crappy
approach
to
local
state,
and
it
was
just
a
whole
bunch
of
new
mechanism
that
was
in
addition
to
all
of
the
old
mechanism.
There
was
a
proposal
from
opera
that
I
think
was
actually
implemented
in
some
version
of
opera,
where
you
just
include
a
logical
web
server
in
the
browser,
and
now
the
web
server
in
the
browser
can
persist
things
in
the
way
a
web
server
does
a
Bradley.
B
The
Sony
case,
so
so
this
thing
from
opera,
you
had
a
logical
web
server
inside
the
browser,
I
think
they
say
short-circuited
the
xmlhttprequest
mechanism,
so
it
didn't
go
through
localhost.
It
just
went
directly
from
one
thing
to
another
in
the
browser,
probably
much
like
service
workers
are
doing
today.
But
in
that
proposal
the
HTML
logical
browser
side
of
things
remained
completely
ephemeral
and
it
was
just
this
very
nice
separation
of
user
interface
versus
state
with
a
you
know,
keeping
a
arm's
length
separation
between
the
two.
B
B
Introducing
into
the
Braille
the
browser
had
all
of
the
network
traffic
that
you
can
provoke
by
interacting
with
the
Dom
goes
through
a
browser.
Spec
mechanism
called
fetch.
We
believe
that
the
browser
implementations
have
also
been
refactored
so
that
it
actually
goes
through
internal
fetch
operation
and
then
service
workers
leverage
that
to
be
able
to
have
a
service
worker
receive
the
network
requests
that
were
generated
by
a
fetch
mechanism
that
was
hooked
by
that
service
worker.
B
A
Yeah
so,
like
I,
think
I
gave
an
overall
summary
of
it,
but
maybe
there
are
questions
regarding
specific
aspects:
ok,.
B
A
Now
the
dad
service
workers
associated
with
the
scope
and
it's
registered
in
most
browsers
next
page
load,
even
if
it's
inside
an
iframe
on
the
on
the
initial
page
that
is
actually
referring
to
scoped
URLs
will
actually
receive
you
know
it
be
intercepted
because
they
are
URLs
that
are
scoped
and
there's
a
service
worker
that
is
active.
That
is
listening
for
requests
from
that
scope.
A
A
B
B
B
A
A
That's
that's
the
you
know
the
only
it's
the
only
approach,
I
thought
of
was
to
use.
You
know
like
back
in
the
day
when
you
had
a
PHP
page
with,
and
then
you
would
just
put
the
URL
that
you
want.
That
is
from
outside
your
scope
as
a
memory,
a
search
query
so
effectively
your
service
worker
will
be
getting
a
query,
a
search
query
on
a
URL
that
is
really
meant
to
load
the
page,
but
then,
if
you're
being
hacked,
then
we're
going
to
be
polite.
C
There
there
is
a
legitimate
concern
behind
it
that
I
think
if
you
propose
adding
a
general
Network
intercept
on
a
hook
of
the
sort
that
Mark
is
proposing,
that
there
needs
to
be
a
story,
and
you
want
to
have
the
story
up
front
for
how
you
how
you
limit
or
or
block
that
intersect
thing
from
from
being
used
in
particular
places
so
as
to
have
an
answer
to
the.
How
do
you
prevent
you
know
a
some
code
from
just
met
in
the
middle
and
all
your
network
traffic
from
that
page?.
A
D
A
C
B
So
the
way
the
way
to
think
about
the
the
the
proper
use
of
virtualization
versus
the
improper
use
of
it
for
man
in
the
middle.
Let's
start
with
an
analogy
which
is
on
the
MMU
mapping.
Virtual
addresses
to
physical
addresses
is
a
man-in-the-middle,
yes,
but
of
course
it's
a
central
for
security.
We
use
it
for
virtualizing
in
order
to
achieve
security,
but
if
I
could
could
determine
the
mapping
that
your
that
the
MMU
is
using
for
your
memory.
A
B
It's
it's
so
primitively
its
system
mode
versus
user
mode,
but
the
main
thing
is
that
it's
layered
is,
if
I
create
you,
for
example,
maybe
on
I'm,
creating
a
user
level
virtual
machine
I'll
log
you
into
that.
If
I
create
you
such
that
I
could
have
run
you
under
an
interpreter
or
virtual
machine
that
I
had
created,
then
it
is
proper
for
me
to
be
able
to
to
virtualize
you
now
in
the
browser.
B
The
the
idea
in
the
browser,
the
browser
threat
model
is
such
that
by
having
given
that
iframe
to
another
origin,
it
is
not
vulnerable
to
me
in
several
ways.
However,
if
it's
the
same
origin
iframe,
then
there
is
no
problem
with
saying
that
I
can
create
a
same
origin
iframe
that
I
am
in
complete
control
over
enable
to
virtualize,
because
I
could
have
just
rewritten
all
the
code
before
loading
it
into
the
frame
or
I
could
do
a
complete
domitor
mediation
as
kaha
did.
B
C
A
Could
I
just
highlight
there
is
a
very,
very
similar
concept
that
has
been
on
one
standard,
though,
but
it
has
been
utilized
to
create
renderers
like
like
electron,
and
all
these
other
frameworks
basically
rely
on
it
and
I
believe
that
that
you
know
comes
initially,
you
know
baked
inside
most
browsers
like
it's
the
webview
and
that's
that
sounded
like
a
level
beyond
ivory.
Like
a
webview.
Is
this
abstraction
of
the
browser
page
view
I'm.
A
So
you
they
wanted
something
more
more
intercept
able
more
customizable
and
that's
a
webview
and
in
essence
a
webview
is
when
you,
when
you
embed
a
Safari
view
in
your
app
that
you're
designing
with
Xcode
or
you
know
like
or
if,
if
you
have
a
Google
app
I
believe
that
your
app
runs
inside
a
webview
which
is
a
you
know,
a
step
more
advanced
than
what
an
iframe
is.
So
it's
not
a
web
compliant
spec,
but
it
is.
A
It
is
basically
the
abstraction
of
the
browser
view
of
a
page
with
a
lot
more
control
on
the
on
the
network,
hoaxes
and
other
hooks,
and
it's
really
meant
it
doesn't.
Actually,
you
know
belong
within
the
page.
It's
it's
an
object
that
gets
you
know
rendered
on
top
of
your
page
or
through
your
page.
Somehow
and
web
has
all
these
requirements
met,
because
it's
actually
not
designed
to
work
with
web
pages.
A
It's
designed
to
work
with
virtual
web
pages,
an
emulation
of
a
web
page
from
raw
HTML
and
scripts,
and
then
hooks
to
you
know,
give
the
illusion
of
all
the
network
behavior
that
you
want.
I,
don't
see
this
landing
as
a
web
stack
that
anyone
can
use,
because
the
second
half
of
serviceworkers,
where
you
can
intercept
other
requests
beyond
your
origin,
Sallah.
B
A
I,
if
there's
a
potential
for
introducing
it,
I,
believe
that
you
know
it
will
be
a
lot
safer
to
say
that
it
could
be
one
other
mode
of
sandboxing
for
iframes,
where
it
will
allow
you
to
actually
not
be
a
passive
event
listener
to
network
traffic,
but
actually
an
active
event
listener,
and
it
should
also
come
with
the
condition
that
it
will
really
be
sandbox
and
isolated
from
the
loading
page.
I
believe
you
know
these
will
potentially
be
the
bare
minimum
security.
A
A
Web
view
is
in
chrome
for
sure,
because
it's
used
by
older
it's
in
Safari,
because
I
know
that
all
all
iOS
apps
that
have
Safari
embedded
in
them
uses
the
you
know
the
the
Objective
C
interface
that
their
webview
so
I
like
to
think
of
it,
that
those
browsers
read
the
webview
and
then
they
create
the
browser
to
utilize
the
webview
API.
To
give
you
the
experience
of
the
browser,
yeah.
A
B
D
A
B
B
C
E
One
point
I'd
like
to
raise
and
I
don't
know
if
this
is
relevant
or
not.
I
have
seen
the
announcements,
particularly
on
Slashdot,
about
Google
changing
their
extension
API
in
such
a
way
that
makes
ad
blocking
harder.
What
I'm
saying
is
you
may
want
to
keep
an
eye
on
whatever
API
changes?
They're
talking
about
to
see
whether
your
capabilities
that
you're
trying
to
implement
are
still
possible.
Okay,.
C
D
B
C
D
Chromium
does
have
some
independent
efforts
on
it,
but
largely
it
is
up
streamed
by
Google
whenever
you've
merged
stuff,
so
blink
in
particular,
is
the
thing
people
often
don't
associate
with
Google,
but
is
largely
controlled
by
Google
within
chromium.
D
A
There
is
one
point
to
keep
in
mind
that
a
lot
of
the
decisions
that
Safari
makes
is
to
avoid
having
to
deal
with
security
issues
like
they
block
certain
things,
because,
potentially
on
paper,
they
could
look
like
security
problems,
even
if
they
aren't
there.
Their
model
is
not
really
blocking,
but
it's
more
like
they
don't
want
to
deal
with
a
problem
with
their
security,
because
the
PR
is
is
hard
to
deal
with,
so
they
just
avert
any
kind
of
security
problems.
A
That
also
makes
them
very
receptive
to
things
intended
to
actually
give
a
better
security
model
for
browser
views,
because
there
are
a
lot
of
applications
that
use
browser
views
that
lend
in
their
app
store.
So
you
know
there
aren't
good
mechanisms
to
control
the
security
of
these
kind
of
apps
that
are
maple,
electron
and
other
apps.
There
is
criteria,
and
if
you
need
it,
it's
hard
for
them
to
actually
enforce
further
security,
so
a
standard
way
to
enforce
security
on
a
webview
which
would
give
hugs
to
particular
origins
from
which
SES
can
serve
it's.
A
A
B
A
B
E
Mark
it
going
back
to
the
very
beginning
of
this
conversation,
probably
well
before
you
started.
Recording
I
had
raised
a
couple
of
points
in
the
messages
side-channel
I'm
wondering
if
you
can
take
a
quick
look
at
those
again.
This
is
literally
within
the
first
five
minutes
when
you
were
talking.
Okay,.
B
B
Before
anything
is
encrypted
or
after
everything
is
decrypted,
in
other
words,
you're
sort
of
standing
at
the
same
place
that
you,
that
you
would
that
we're
standing
when
we
replace
the
built-in
xml
httprequest
object
with
a
attenuating
shim
over
it.
That's
the
kind
of
thing
that
kaha
did
so
I'm,
really
thinking
in
terms
of
the
cop
resident.
We
had
a
URL
rewriter,
which
is
sort
of
an
MMU
for
URLs,
where
we
could
take
any
URL
that
the
webpage
was
trying
to
do
io2
and
remap
it
in
through
the
controlling
code.
B
E
B
It's
so
so
it's
once
again,
I
want
to
make
the
MMU
comparison.
The
key
thing
is
that
you
had
to
be
in
an
authorized,
creating
relationship
of
the
compartment
in
order
to
create
the
remapping
that
that
was
constraining
the
part
of
the
compartments
ability
to
address
the
world
outside
of
itself.
Okay,.
B
C
It
be
based
on
where
you
need
to
stand
to
do
this,
where
you
legitimately
could
intervene
or
legitimately
should
be
prevented
from
intervening.
This
sounds
like
a
hook
that
needs
to
be
installed
as
part
of
the
compartment
creation
or
compartment
specification
process.
In
other
words,
it
needs
to
be
part
of
the
realms
API.
No.
B
C
B
You're
the
theme
of
what
you're
raising
is
right,
but
the
specifics
are
not.
We
are
very
we're
being
very
careful
that
the
realm
API
is
independent
of
hosts,
and
so
the
realm
API
doesn't
know
anything
about
frames
or
Dom's
or
network
traffic.
It
doesn't
know
that
there
is
a
network
all
right.
It's
just
dealing
with
the
JavaScript
language,
yes,
and
one
way
to
think
about
its
relationship
to
the
host.
B
My
favorite
way
to
think
about
its
relationship
to
the
house,
to
the
haut
to
the
idea
of
a
host,
rather,
is
that
the
purpose,
one
of
the
main
purposes
of
the
realm
API
that
should
very
much
shape
the
design
of
it,
is
that
it
should
enable
JavaScript
code
to
act
as
host
to
other
JavaScript
code,
and
that
also
puts
the
control
relationships,
makes
the
control
relationship
very
clear,
which
is
when
I'm
running
in
realm
foo
and
I
use
my
realm
constructor
to
say
realm.
Make
root
realm
and
I
make
a
new
route.
B
Realm
bar
I
should
be
able
to
act
as
the
host
for
bar
and
add
it.
You
know-
and
you
know,
I
should
be
able
to
like
I-
might
be
inside
a
node
host,
but
I
create
realm
bar
such
that
it's
it
thinks
it's
in
a
browser
host
or
vice
versa.
Right,
so
I
should
be
able
to
ideally
emulate
any
host
environment
by
writing
JavaScript
code.
B
Yes,
so
there's
clearly
a
relationship
here,
the
what
I
would
so
going
back
again
to
the
kaha
architecture,
which
I
think
is
the
right
place
to
view
it,
which
is
in
kaha.
You
make
a
let's
call
it
a
kaha
compartment
by
creating
both
a
D'amato
instance
and
for
for
remapping
and
intercepting
accesses
Dom
nodes
as
well
as
also
we
providing
intercepted
access
to
all
the
rest
of
the
browser.
B
Api
and
then
I
also
use
the
SES
mechanisms
to
create
a
realm
and
then
I
populate
the
the
global
of
the
compartment
of
the
new
realm,
with
my
emulated
JavaScript
objects,
which
are
the
virtualizations
of
the
browser
powers
that
I
want
code
in
the
compartment
to
say
so.
The
the
kaha
compartment
creating
mechanism
uses
the
realm
compartment,
creating
mechanism
right.
C
That
that
all
makes
sense,
both
analytically
and
intuitively
to
me,
but
it
feels
like
you've
just
reduced
it
to
a
previously
unsolved
problem.
Subsets
I
think
actually
something
you
said
in
the
in
there
was
interesting,
which
is
you
have
been
talking
in
terms
of
you
know.
What
could
what
hook?
Could
we
get
browser
implementers
to
install
for
us,
but
it
suggests
that
whatever,
that
is
that
there
should
be
a
corresponding
analog
say
you
know.
How
would
you
want
this
to
work
in
node.
C
C
And
it
has
to
do
with
this
notion
that
I
can
make
this
intervention
on
a
child
thing
that
I
create,
but
I
should
not
be
able
to
make
this
intervention
on
myself
exactly
and,
and
so,
how
can
that
be
I,
definitely
by
the
separation
of
the
realms
API
from
any
concept
of
I
I.
Think
that's
completely
what
you
pointed
that
out
was
like
yeah
duh,
but
I
still
feel
like
we
haven't
answered
the
question
of
where
would
you
stand
to
intervene
so.
B
Kriya
instantiate
s--,
you
know,
creates
a
dom
sub,
Tree,
Inn
and
I'll
just
be
be
tremendously
concrete,
including
for
things
that
I
want
to
be
different
in
the
new
suggestion.
We're
in
the
D'amato
case,
I
cry
create
a
div
to
be
the
new.
The
root
of
the
subtree
that
I'm
giving
to
the
component
then
I
instantiate
D'amato,
which
is
a
library
written
in
JavaScript.
It's
written
in
SS.
B
The
mod
itself
is
written
in
SES,
but
I
give
D'amato
access
to
the
that
did
itself
so
D'amato
is
is
trusted
in
the
sense
that
I
gave
it
the
real
div
and
therefore
it
can
do
all
the
damage
to
me
that
you
can
do
with
the
real
div
D'amato.
Is
the
trusted
code
that
I'm
relying
on
to
enforce
my
security
policy
and
what
it
does
is.
It
creates
a
set
of
JavaScript
objects
that
collectively
act
like
a
new
iframe
so
that
the
div
that
I
gave
it.
B
It
then
presents
to
the
code
in
the
compartment,
as
the
document
basically
creates.
You
know
it
creates
the
whole
document
structure
that
you
expect
at
the
at
the
top
of
the
Dom
tree
mapping
that
top
to
that
div
and
then,
as
further
Dom
nodes
are
created
on
either
side
of
that
boundary.
It's
very
membrane,
like
boundary
yeah.
Actually
it
actually
predates
membranes.
Was
art
hand-coded,
see.
C
C
In
D'amato,
if
you
want
to,
inter
mediate,
all
of
the
accesses
to
the
network,
what
you
have
to
do
is
all
of
the
Dom
API
points
at
which
you
could
have
network
access.
You
have
a
Jamaa,
no
implementation
of
those
which
intermediates
the
network
access
exactly
and
in
the
case
of
what
you
were
talking
about,
though,
was
the
the
low-level
fundamental
network
access
operation
that
the
browser
implements,
and
that
is
is
not
a
reified
thing
in
it
at
the
at
the
Dom
API
level,
and
therefore,
where
would
you?
C
B
B
B
You
know
you
can
also
create
an
iframe,
of
course,
with
HTML,
but
let's
just
take
the
explicit
API
for
creating
an
iframe,
and
let's
say
that
we
enabled
an
additional
options
parameter
of
somehow
I
won't
try
to
design
what
the
mechanism
is.
For.
You
know
what
the
the
concrete
parameter
syntax
is
for
this
new
option,
but
somehow
we
provide
a
new
option
where
we
parameterize
the
creation
of
the
iframe
with
a
function.
This
is
not
the.
This
is
once
again
just
for
concreteness.
It's
this.
B
This
way
of
doing
it
does
not
look
like
a
serviceworker,
but
it's
the
simplest,
concrete
interception,
and
now
what
happens
is
this
function
is
with
a
network
handler
for
the
created
iframe
I
can
only
do
this
for
when
I'm
creating
a
same-origin
iframe
for
the
four
reasons
of
the
security,
the
security
assumptions
again
that
the
browser
is
making
the
security
model
the
browser's
are
trying
to
enforce.
I
can
only
do
that
for
a
same-origin
iframe,
but
for
the
same-origin
iframe.
When
I
do
this,
then
what
happens
is
anything
that
happens
in
the
iframe?
B
B
So
so
it's
robust
if
I'm
wrong
about
the
scope
of
fetch
any
network
traffic
that
comes
from
that
iframe
rather
than
going
to
the
network,
would
call
this
function
with
a
description
of
the
network
request
that
it's
trying
to
make
and
then
the
response
to
the
function
would
be
a
description
of
the
virtual
response
that
you
got
back
from
the
network
and
if
and
because
the
network
is
asynchronous,
you
could
be.
Let's
say
the
function
returns,
a
promise
whose
fulfilment
is
eventually
the
description
of
the
result
of
the
network
request
and
there's.
C
C
Okay,
so,
okay,
so
that
actually
answers
my
question
to
my
satisfaction:
it's
just
that.
Okay,
I
have
a
second
question
which
is
completely
unrelated,
which
is
having
identified
network
traffic
as
a
particularly
sensitive
thing
that
you
want
to
virtualize
or
intercept
or,
however,
you
want
to
frame
it.
C
B
B
If
we
can
get
more
from
the
browser
that
is
along
the
same
lines
which
which
might
be
possible
because
we
already
have
one
ask
for
one
rat,
that's
justified
by
one
rationale:
everything
that's
justified
by
that
rationale.
If
it's
not
substantially
more
mechanism,
maybe
we
can
get
so
I'll
enumerate.
What's
on
the
top
of
my
head,
there
is
evaluation,
which
is
the
thing
that
I
was
going
to
turn
to
Jasmine's
trick
for,
but
even
with
jazzer
district,
it's
still
messy.
B
B
B
D
I
can
answer
that
off
everything
is
being
pipelined
through
fetch.
All
new
things
are
even
retro
actively.
Some
old
things
were
moved
to
the
Pathet
type
line.
Okay,
recent
events
do
go
through.
Websockets
do
go
through
it,
but,
like
I
said
earlier,
there
are
limitations
about
what
you
can
intercept
with
a
serviceworker.
C
One
approach
is
to
say:
well,
what's
the
minimal
thing,
which
is
what
the
that
I
think
when
you
raise
network
traffic,
that
was
I.
Think
your
your
take
having
a
list
of
several
different
things
with
possibly
more
things
is
more
stuff
that
are
also
hints
at.
Oh
here's,
a
general-purpose
mechanism,
here's
a
general
thing
as
opposed
to
something
specialized,
and
it's
sometimes
easier
to
get
people
to
buy
into
a
generalized
thing
than
it
is
to
get
them
to
buy
into
a
specialized
thing,
because
it
feels
like
the
the
scope
of
applicability
and
usefulness
is
broader.
C
B
B
However,
it's
a
inflexible
box,
so
you
know
if
I
can,
just
you
know,
wave
a
magic
in
terms
of
everything
that
I
might
think
to
ask
for
there
was
a
proposal
at
one
point
for
creating
an
iframe,
that's
rendered
into
the
flow
of
the
containing
page,
so
that
you
could
so
it's
you
know
it's
acting
more
like
a
span
or
a
div
or
something
that's
I
think
that
one's
unlikely,
the
okay
I
see,
there's
a
Sala
I
I
am
I,
have
I
have
successfully
remained
almost
completely
ignorant
of
CSS.
So,
oh.
B
A
A
Html
template
element-
that's
secondary,
but
I
I
want
to
share
my
screen
to
show
you
what
I
just
found
about
the
iframe
getting
CSP
okay.
So
let
me
see
if
that
still
works
like
it
should
we
can
share
that
particular
window
yep.
So
I
usually
like
to
see
what's
new
right,
so
I
found
that
there's
this
experimental
CSP
so
far,
it
was
only
possible
to
define
CSP
turn
to
mechanisms,
I
believe,
there's
headers
that
you
could
send
from
the
server
that
provide
policy
for
what
kind
of
resources
for
the
various
destination
types
of
resources.
A
Can
a
resource
come
from
and
even
put
some
restrictions,
as
in
you
know,
a
hash
that
you
check
the
resource
against
so
so
CSP
doesn't
have
much
discussion
here
like
it
down
at
the
end.
But
what's
important
to
note
is
that
chromium
does
support
it
and
mdn
has
the
document,
so
by
extension,
Firefox
is
potentially
considering
it.
I
know
that
CSP
has
been
very
favorable
for
Safari
on
you
know
other
fronts
and
Internet
Explorer
I,
don't
think
we
can
support
edge
as
becoming
chromium,
so
so
so
at
the
end
of
the
day,
I
believe
CSP.
A
Sorry
about
that
sorry,
the
CSB
basically
will
allow
you
to
I'm
trying
to
point
yeah.
It
will
allow
you
to
instead
of
defining
the
policies
in
your
own
page
or
the
finding
the
policies
by
the
server
headers,
you
can
actually
inline
those
policies
as
attributes
for
the
hi
train,
hence
restricting
any
access
to
resources
that
do
not
get
forced
through
the
service
worker.
That's
one
piece
of
the
mix
on
the
second
piece
is
HTML
codes
with
elements
where,
basically,
what
you
would
be
doing
is
any
Content
being
put
inside
the
doll
of
the
iframe.
A
You
put
it
inside
a
template
element
which
makes
it
inert
in
any
regard,
and
you
listen
to
mutations
on
that
template
element
and
then
you
use,
you
may
be
actually
attach
a
shadow
Dom
to
your
iframes
body
and
and
you
basically
slot
elements
that
have
been
cleansed
ie,
SRC,
attributes
and
script
tag
body
and
can
can
basically
be
scrubbed
where
you
rewrite
all
URLs
to
force
them
to
go
through
the
service
worker.
So
even
if
anything
escapes
that.
B
A
So
at
that
point
the
request:
comes
you
scrub?
It
you
put
it
back
in
the
eye
cream
for
some
reason,
if
someone,
you
know
with
the
inspector
actually
fetches
something
that
is
not
going
through
the
right
channel,
it's
going
to
violate
the
CSP
of
the
eye
preen
and
the
browser
will
reject
that
request
without
its
heading
the
Service
Worker,
but
it
will
be
intercepted
as
an
event
if
I'm
not
mistaken.
Well,.
B
B
A
A
Right
but
again
my
experience
so
far
with
with
this
kind
of
you
know,
spec
based
catch-all
across
all
browsers,
is
you
will
get
things
that
you
can't
really
do
anything
about,
and
sometimes
they
will
change
aspect
after
you've
relied
after
you
came
up
with
the
design
that
would
basically
render
the
work
a
useless.
So
so
these
are
all
things
that
trade
offs
right.
So
it's
going
to
be
experimental
and
I.
I
accept
those.
You
know:
risks
okay,.
B
B
B
E
B
B
B
B
E
B
Bradley
only
the
origin,
for
wit,
for
which
registered
it,
which
I
think
was
a
clarification
rather
than
a
question
Alex
one
more
point
to
raise:
can
there
be
a
guarantee,
slash,
spec
role
that
specifically
states
this
network
interception
layer
is
inaccessible
to
web
pages
and
web
extensions?
Okay,
I,
don't
understand
the
question.
E
E
B
B
B
B
Sallah
important
detail
in
the
mix
we
have
not
discussed
at
all
CSP,
so
that's
is
that
the
CSP
discussion
we
just
had
yeah
yeah,
okay,
great
Alex,
I,
see
a
need
for
a
filter.
It's
unlikely
you're,
going
to
care
much
about
PNG
images
versus
scripts,
so
it
depends
on
the
purpose
the
what
we
did
in
car
was
we
intercepted
anything.
But
you
know
the
the
thing
that
was
getting
the
interception
could
decide.
You
know
what
to
do.
B
D
There's
a
caveat
here
that
might
not
be
known
to
everybody:
a
java
script
and
the
script
roland
browsers
is
not
checked
for
content
type.
Ever
yep
you.
It
would
be
very
hard
for
us
to
determine
if
something
is
actually
going
to
be
used
as
a
PNG
image.
Okay,
then
go
and
download
it
and
then
take
the
image
data
and
then
convert
it
to
a
script,
didn't
run.
It.
B
B
E
B
So
here's
something
we
try
I
want
to
add
to
the
hood
to
the
hook.
That
I
would
guess
is
not
part
of
what
the
service
worker
gets,
which
is
some
indication
about
the
reason
why
it's
being
fetched
or
put
another
way,
what
is
it
being
fetched
as
an
image
or
is
it
being
fetched
as
a
script,
which
is
is.
D
A
B
A
B
B
A
Their
innards
that
they
belong
to
a
year,
none
rendered
document
instance,
which
does
not
have
any
active
content.
It
just
has
Dom
nodes
that
are
basically
inactive
on
all
you
know,
network
and
and
rendering
and
other
other
overheads.
It's
kind
of
like
a
document
fragment,
but
it's
a
wrapper
for
a
document
fragment
so.
B
A
The
document
fragment
of
an
HTML
template
element
I,
have
to
look
into
mutation
related,
you
know
and
costs,
but
there
are
mutation,
observation
methods
which
which
are
very
functional
on
non
inert
content,
so
the
trade
of
a
bit
being
inert
might
actually
make
it
a
little
bit
more
difficult
to
use
a
mutation
events,
but
I'm
pretty
sure
you
know
there
will
be
ways
to
to
get
there
anything
that
you
add
to
that
child.
A
root
element
of
the
content
of
the
HTML
element
will
basically
look
like
it's
in
the
Dom.
A
B
A
So
it
will
take
a
lot
of
work
to
come
up
with
a
model
that
doesn't,
you
know,
feel
awkward
but
I'm
pretty
sure
there
will
be.
You
know
ways
to
do
this
that
are
favorable
to
what
we
want
and
ways
to
do
this.
That
will
not
be
favorable.
So
it's
going
to
be.
You
know
some
creative,
problem-solving,
okay.
B
So
let
me
go
over
what
I
think
I
just
understood
from
that.
You
would
still
have
two
layers
in
the
same
sense,
that
D'amato
has
two
layers:
you're,
not
giving
the
untrusted
code
the
Dom
nodes,
by
which
the
rendering
happens
to
the
user
or
by
which
user
interface
events
are
received
from
the
user
rather
you're,
giving
them
a
parallel,
but
inert
cream
and
the
advantage
of
it
over
D'amato
is
the
nodes
already
have,
even
in
there
inert
behavior
much
of
the
Dom
semantics.
E
A
We
have
to
actually
synthesize
how
it
reflects
on
the
non
inert
fragment.
It
sounds
like
I
really
have
to
explore
this
a
little
bit
further
to
see
whether
or
not
it
will
be
like
crazy
overhead
to
do
that.
Okay,
the
best
mechanism
for
mutations
that,
like
mutation
observer,
is
definitely
the
way
to
go,
but
I,
don't
know
how
it
functions
inside
the
template
element.
B
I
see
Bradley
I'm
skipping
skipping
ahead
in
the
chat
I
see
Bradley
said
that
it's
the
old
mutation
events
are
about
1%
of
page
loads
for
the
purposes
that
caja
was
used
for
and
anything
that
I'm
planning
to
do.
That
would
say
we
can
just
not
worry
about
old
mutation.
Events.
I'm
I'm,
happy
to
lose
1%
brave
is
I
would
be
pretty
sure
a
different
story
that
1%.
B
E
But
keep
in
mind
I'm
I'm,
very
much
on
the
fringes
of
Mozilla
these
days.
The
main
reason
I
posted
that
link
was
the
mission
about
iframe
element
CSP,
which
I
frankly,
hadn't
known
about
and
I
had
hoped,
unfortunately,
in
without
I
had
hoped
that
it
would
show
up
in
that
list
of
features
and
I'm.
Not
I,
didn't
see
it
there.
Okay.
E
And
this
is
related
to
the
next
point:
I
raised
about
generated
blob
objects,
data,
URLs
and
other
real
ocol
resources.
I
raised
the
point
earlier
about
what
happens
if
somebody
brings
in
a
PNG
image
versus
a
script
and
how
you
might
want
to
filter
and
it
occurred
to
me.
Well,
what
happens
if
some
nefarious
actor
decides?
Well,
if
we
bring
in
this
this
script
first
as
a
PNG
image
and
then
converted
to
a
script,
is
gonna
go
through
this
network
layer?
I'm,
sorry,
this
network
interceptor,
forgive
me
I,
don't
know
what
to
call
it.
E
Pipeline,
okay,
I
should
have
written
that
down
a
long
time
ago,
but
the
point
I
was
getting
at
was
with
regards
to
caching
suppose
that
this
script,
that
you're
trying
to
intercept
is
first
fetched
as
a
PNG
image
say
and
then
your
filter
says:
oh,
we
don't
really
care
about
it.
Then
it's
in
the
cache
and
then
it
doesn't
get
caught
because
it
was
cached
when
it
comes
in
again
as
a
script.
I'm
just
raising
it
as
a
point
to
look
into
okay
ditto
with
generated
Bob
objects,
data,
URLs,
local
resources
of
that
type.
E
B
B
E
Think
of
your
data
URL
is
basically
a
way
of
storing
a
string
of
source
code
in
the
URL.
It's
an
encoding
mechanism.
Blob
is
the
next
generation
where,
instead
of
having
the
source
in
the
URL
itself,
it's
stored
in
memory
in
the
browser
somewhere,
it
doesn't
really
matter,
and
then
you
can
convert
that
to
a
URL
which
starts
be
lob
colon,
and
then
you
have
a
unique
identifier
at
the
end
of
it.
E
B
B
A
B
B
D
B
So
so
we've
also
talked
about
hooking
loaders.
That
could
also
make
sense
to
do
at
this
level.
You
know
the
page
itself
has
a
loading
behavior
if
you're
creating
the
page
it
rather
than
just
hooking
the
fetch
part
of
the
loading
behavior.
We
could
do
more,
the
more
invasive
kind
of
hooking,
the
loading
behavior
that
you
know
that
we've
been
talking
about
in
general
at
the
JavaScript
level
I'll,
but
do
it
for
the
pages
out
or
loader
if
you're
creating
the
page.
D
Yes,
we
were
testing
compatibility
of
notes.
Loaders
with
that
sort
of
example,
cool
we
have
a
slightly
out
of
date,
slightly
broken
now
think
what
it
could
be
updated.
I'll
put.
The
link
in
the
chart.
Ok
grid
is
very
slow.
Well,
if
you
click
on
how
it
rewrites
test
is,
you
will
start
to
see
it
is
rewriting
your
inputs
in
a
very
ugly
way.