Injection isn't transitive

[annevk]

At least as explained in the FAQ, Injection doesn't appear to have the same properties as Transport or Isolation in that it's not guaranteed to be valid for the entire top-level browsing context (modulo data URLs for Transport, but we'll fix that).

I think that's a key aspect of being a secure context (remember Netflix).

[mikewest]

That's a good point, and I agree with you that it's core to the general notion that we take a holistic approach that includes a document, its dependencies, and ancestors.

The first thing that occurs to me is some require-injection-mitigation assertion similar to require-corp that would enforce a minimum standard on framed documents and workers (echos of embedded enforcement...). With that assertion in place, we'd examine the incoming response headers of a nested navigation, for example, and block it if it didn't meet whatever minimum bar we put in place (which might be an explicit opt-out).

I think that would address the concern here, but I haven't thought about it enough to decide if it's a good way of doing so. :)

[mikewest]

Hey Anne! I'm archiving this repo, but pushed the injection discussion out to https://mikewest.github.io/injection-mitigated/ where I'm (slowly) noodling on things. My current take is that injection mitigation is intrinsically tied to a given environment, and there's less value in enforcing the transitivity we discussed here when considering the exposure of a given IDL construct.

I will note this as an issue to discuss, however (https://mikewest.github.io/injection-mitigated/#issue-174efc8d). I'd forgotten about it fairly completely. :)