Skip to content

Add the most minimal approach available. #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BigBlueHat wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add the most minimal approach available. #3

BigBlueHat wants to merge 3 commits into from
+68 −0

Conversation

@BigBlueHat
Copy link
Contributor

@BigBlueHat BigBlueHat commented Jan 8, 2026

Host page uses CSP meta tag, contains a sandboxed iframe, populates it
with a shim-page with another CSP meta tag along with the credential
in a datablock and the template as the contents of <body>.

@BigBlueHat BigBlueHat requested a review from dlongley January 8, 2026 22:17
dlongley
dlongley reviewed Jan 8, 2026
View reviewed changes
Copy link
Member

@dlongley dlongley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we probably don't want to say this is the most minimal without anything that tells the parent window that the template is ready. Otherwise, LGTM.

@dlongley
Copy link
Member

dlongley commented Jan 8, 2026

Maybe this should go in as "without-ready-event.html"? Or something?

@BigBlueHat
Copy link
Contributor Author

BigBlueHat commented Jan 9, 2026

I think we probably don't want to say this is the most minimal without anything that tells the parent window that the template is ready. Otherwise, LGTM.

So we need to make the "ready" thing in the shim a MUST then?

@dlongley
Copy link
Member

dlongley commented Jan 9, 2026

So we need to make the "ready" thing in the shim a MUST then?

Yeah, I think so. Since there are two independent parties involved here (host and template author), and the host is showing content on behalf of the template author, I think the template author should be required to make a minimal effort to inform the host when their template is ready to at least help ensure both of their reputations aren't harmed by bad flashes of content / renderings, etc.

I would expect hosts to want some control over loading screens, timeouts, and whether to show error screens based on slow / bad templates. We might want to consider / make the "ready" callback resolve or reject a promise as well, to allow a template author to reject with an error if they receive a VC that doesn't work for the template (i.e., via a mistake by the host).

@BigBlueHat
Add the most minimal approach available.
53d2fca 
Host page uses CSP meta tag, contains a sandboxed iframe, populates it
with a shim-page with another CSP meta tag along with the credential
in a datablock and the template as the contents of `<body>`.
@BigBlueHat
Improve shim code CSP setup.
abe6394
@BigBlueHat
Add some labels to host page; style to shim.
2cdfb05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dlongley dlongley dlongley left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BigBlueHat @dlongley