[w3ctag/design-reviews] Controlled Frame (Issue #1067) from Chase Phillips on 2025-03-07 (public-webapps-github@w3.org from March 2025)

From: Chase Phillips <notifications@github.com>
Date: Thu, 06 Mar 2025 16:45:15 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1067@github.com>

chasephillips created an issue (w3ctag/design-reviews#1067)

こんにちは TAG-さん!

I'm requesting a TAG review of Controlled Frame.

The Controlled Frame API exposes a new `<controlledframe>` tag to [[Isolated Web Apps](https://github.com/WICG/isolated-web-apps/tree/main)](https://github.com/WICG/isolated-web-apps/tree/main) that can be used to embed any content, and provides more control over embedded content than other embedding methods like `<iframe>`, including the power to override opt-out mechanisms like `X-Frame-Options` and CSP. It is based on the Chrome App [WebView](https://developer.chrome.com/docs/apps/reference/webviewTag) API, and provides similar functionality as native WebView APIs such as script injection and network request interception and modification. Due to the level of control this gives a parent frame over embedded content, a different storage partition is used to avoid leaking private data from the user’s normal browsing context. Because of how powerful this API is, it is only exposed to Isolated Web Apps, never to content on normal web pages.

  - Explainer: https://github.com/WICG/controlled-frame
  - Specification: https://wicg.github.io/controlled-frame/
  - WPT Tests: N/A
      - There are Chromium-specific [[WPT-like tests](https://source.chromium.org/chromium/chromium/src/+/main:chrome/test/data/controlled_frame/)](https://source.chromium.org/chromium/chromium/src/+/main:chrome/test/data/controlled_frame/) that we’ll move to Chromium’s wpt_internal directory once our infrastructure supports running WPTs within Isolated Web Apps.
  - User research:
  - Security and Privacy self-review: https://github.com/WICG/controlled-frame/blob/main/SecurityPrivacyQuestionnaire.md
  - GitHub repo: https://github.com/WICG/controlled-frame
  - Primary contacts:
      - Robbie McElrath (@robbiemc), Google, editor
      - Andrew Rayskiy (@greengrape), Google
  - Organization/project driving the specification: Google
  - Multi-stakeholder support:
    - Mozilla comments: N/A
    - WebKit comments: N/A
    - This API only makes sense within the context of an environment like Isolated Web Apps. The standards position for that proposal was [negative](https://github.com/mozilla/standards-positions/issues/799) from Mozilla, and [no response](https://github.com/WebKit/standards-positions/issues/184) from WebKit. Without the IWA context, we wouldn’t recommend supporting an API like this.
  - Status/issue trackers for implementations: https://chromestatus.com/feature/5199572022853632

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Previous early design review, if any: N/A
  - Relevant time constraints or deadlines: None
  - The group where the work on this specification is currently being done: WICG
  - The group where standardization of this work is intended to be done (if different from the current group): WICG
  - Major unresolved issues with or opposition to this specification: Some functionality is only covered by high-level normative text. More details for these sections are currently being written.
  - This work is being funded by: Google

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1067
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1067@github.com>

Received on Friday, 7 March 2025 00:45:19 UTC