Canon / trust

rule.trust.embedded-ui-boundary · draft

Treat every embedded agent UI as a hostile capability boundary

Sandboxing, origin isolation, least privilege, explicit action approval, accessible focus and deterministic teardown are one release contract for embedded UI.

Guidance

Render embedded tool UI on an isolated origin with the narrowest sandbox and Permissions Policy, an explicit CSP allowlist, schema-validated host messages and no ambient credentials. Grant capabilities per task and require approval before external side effects; provide a titled, keyboard-operable iframe with focus entry, focus restoration, teardown and an equivalent fallback path.

Verification contract

Automated security tests must block unlisted origins, CSP destinations, sandbox capabilities, malformed or replayed messages and unapproved side effects; keyboard and screen-reader tests must verify iframe title, entry, escape and restored focus; lifecycle tests must show zero active listeners, requests, timers, connections or retained secrets after every teardown path; the fallback must complete the core task without the iframe.

Supporting references

Implementations and verification artifacts

No linked implementation yet.