Security model of message passing

[nothingismagick]

Is your feature request related to a problem? Please describe.
At this hackernews comment, a very good point was raised about the null origin.

Describe the solution you'd like
The OP wrote:

I recommend using pre-existing interfaces for launching apps like custom scheme URIs, or if really necessary writing individual handlers for the heavy lifting. I think the postMessage approach is great, too but it's vital that the caller origin is checked. The web app shouldn't need to run arbitrary commands on the computer.

Describe alternatives you've considered
Instead of allowing the webview to initiate an event, requiring the rust side to do so because we create a randomized handle for each event and can permit it to only be used once. In practice, today, we use the webview to create the event listener, however at build time we can anticipate exactly what listeners are needed - so at runtime we can prepare the proper handle

Additional context
http://archive.is/UXD8j

[nothingismagick]

I've been doing some research and had a conversation with Lucas. We think there might be some options for hardening the upstream headers with forMainFrameOnly, but ultimately we need to manufacture an attack repo to validate the current vulnerability and mitigations.

Note: we are still in alpha, which is why this discussion is happening in the open. In the future we hope to have your trust such that you will be able to responsibly disclose potential vulnerabilities through the normal channels instead of posting them on hackernews.

[nothingismagick]

Also, there is a similarly themed discussion happening here: webview/webview#413

[nothingismagick]

I was looking into webview2, and came across this interesting note:
https://github.com/webview/webview/blob/34c6479c664f54af6b3bbf71ad28bcffc0380265/script/microsoft.web.webview2.0.9.488/WebView2.idl#L58-L65

[wusyong]

each event and can permit it to only be used once

This is definitely possible and idiomatic in Rust. There is a FnOnce trait to serve this need. In fact, we actually have to mem::forget it in webview_rust, or those callbacks will just be dropped. I think what I'm not sure is how to initiate the events in only rust.

[nothingismagick]

This would mean we disable event listener registration from the webview side. It makes things a little more complex for the devs, but it will enhance the security a thousandfold.

[nothingismagick]

This article goes into more details.
https://byte.how/posts/webview-androids-most-convenient-footgun/