体系 / trust

rule.trust.embedded-ui-boundary · draft

Treat every embedded agent UI as a hostile capability boundary

Sandboxing, origin isolation, least privilege, explicit action approval, accessible focus and deterministic teardown are one release contract for embedded UI.

実践ガイダンス

Render embedded tool UI on an isolated origin with the narrowest sandbox and Permissions Policy, an explicit CSP allowlist, schema-validated host messages and no ambient credentials. Grant capabilities per task and require approval before external side effects; provide a titled, keyboard-operable iframe with focus entry, focus restoration, teardown and an equivalent fallback path.

検証契約

Automated security tests must block unlisted origins, CSP destinations, sandbox capabilities, malformed or replayed messages and unapproved side effects; keyboard and screen-reader tests must verify iframe title, entry, escape and restored focus; lifecycle tests must show zero active listeners, requests, timers, connections or retained secrets after every teardown path; the fallback must complete the core task without the iframe.

根拠リファレンス

実装・検証成果物

リンクされた実装はまだありません。