Skip to content

web: enforce per-app _meta.ui.csp in the app bridge + surface resource-read failures #1566

Description

@cliffhall

Summary

Wire per-app CSP enforcement into the app bridge, and surface resource-read failures:

  • createAppBridgeFactory builds the app's _meta.ui.csp host-side via the sandbox-csp library and wraps the untrusted widget HTML so the policy is always the first <head> child before it reaches the sandboxed iframe.
  • A new onResourceError dep on AppBridgeFactoryDeps routes resource-read failures (malformed HTML, server error during sandbox load) to the caller instead of leaving a silent blank frame.

Why

_meta.ui.csp is currently plumbed but not enforced, and a failed resource read renders nothing with no explanation — both make the inspector useless as a conformance check for widget developers.

Reference implementation (PR #1510)

Re-implement informed by these changes at 33fac3f:

Depends on

  • Sandbox CSP builder library (lib/sandbox-csp.ts)
  • Sandbox hardening (opaque-origin/srcdoc/frame-ancestors)

Wave 2 lane — do sequentially with the other AppRenderer/AppsScreen issues (shared files).

Notes

  • Error display in AppsScreen (data-app-error etc.) is scoped to the app-status issue; this one only surfaces the error via the factory dep.
  • Coverage gate ≥90 on all four dimensions.

Part of the PR #1510 decomposition (see tracking issue).

Metadata

Metadata

Assignees

Labels

v2Issues and PRs for v2

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions