こんにちは TAG-さん!

I'm requesting a TAG review of Realms Initialization Control.

Initialization of same origin realms in an application should be under that application's control.

This proposal describes an opt-in capability to set a script to be loaded first, every time a same origin realm with synchronous access to the main execution environment of the application is created.

The location of the script can be relative or absolute. Secure connection is required. The proposed method for setting the script is a Content Security Policy directive as follows: Content-Security-Policy: "realm-init: /scripts/on-new-same-origin-realm.js" so that the on-new-same-origin-realm.js script will execute before any other JavaScript code executes in the top realm execution environment, as well as any other child realm that matches its origin.

• Explainer¹ (minimally containing user needs and example code): https://github.com/WICG/Realms-Initialization-Control
• Security and Privacy self-review²: https://github.com/WICG/Realms-Initialization-Control#self-review-questionnaire-security-and-privacy
• GitHub repo: https://github.com/WICG/Realms-Initialization-Control
• Primary contacts (and their relationship to the specification):
  • Gal Weizman (Champion)
  • Yoav Weiss (Spec Mentor)
• Organization/project driving the design: ConsenSys
• External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5080729822953472

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• The group where the incubation/design work on this is being done (or is intended to be done in the future): WICG
• Existing major pieces of multi-implementer review or discussion of this design: None atm
• Major unresolved issues with or opposition to this design: None atm
• This work is being funded by: ConsenSys