Summary
Wire per-app CSP enforcement into the app bridge, and surface resource-read failures:
createAppBridgeFactory builds the app's _meta.ui.csp host-side via the sandbox-csp library and wraps the untrusted widget HTML so the policy is always the first <head> child before it reaches the sandboxed iframe.
- A new
onResourceError dep on AppBridgeFactoryDeps routes resource-read failures (malformed HTML, server error during sandbox load) to the caller instead of leaving a silent blank frame.
Why
_meta.ui.csp is currently plumbed but not enforced, and a failed resource read renders nothing with no explanation — both make the inspector useless as a conformance check for widget developers.
Reference implementation (PR #1510)
Re-implement informed by these changes at 33fac3f:
Depends on
- Sandbox CSP builder library (
lib/sandbox-csp.ts)
- Sandbox hardening (opaque-origin/srcdoc/frame-ancestors)
Wave 2 lane — do sequentially with the other AppRenderer/AppsScreen issues (shared files).
Notes
- Error display in AppsScreen (
data-app-error etc.) is scoped to the app-status issue; this one only surfaces the error via the factory dep.
- Coverage gate ≥90 on all four dimensions.
Part of the PR #1510 decomposition (see tracking issue).
Summary
Wire per-app CSP enforcement into the app bridge, and surface resource-read failures:
createAppBridgeFactorybuilds the app's_meta.ui.csphost-side via the sandbox-csp library and wraps the untrusted widget HTML so the policy is always the first<head>child before it reaches the sandboxed iframe.onResourceErrordep onAppBridgeFactoryDepsroutes resource-read failures (malformed HTML, server error during sandbox load) to the caller instead of leaving a silent blank frame.Why
_meta.ui.cspis currently plumbed but not enforced, and a failed resource read renders nothing with no explanation — both make the inspector useless as a conformance check for widget developers.Reference implementation (PR #1510)
Re-implement informed by these changes at
33fac3f:wrapSandboxedHtml(),onResourceErrordep (+186/−48; the download-file and display-mode hunks in this file belong to their own issues)Depends on
lib/sandbox-csp.ts)Wave 2 lane — do sequentially with the other AppRenderer/AppsScreen issues (shared files).
Notes
data-app-erroretc.) is scoped to the app-status issue; this one only surfaces the error via the factory dep.Part of the PR #1510 decomposition (see tracking issue).