Problem
Custom HTTPS WAM URLs are dynamically imported into the app context, and plugin GUIs are appended directly into the DOM. Protocol validation blocks obvious javascript:/data: URLs, but there is no allowlist, integrity check, permission boundary, or iframe/sandbox isolation.
Root Cause
WAM support prioritized functionality first and did not complete a browser security boundary for remote plugin code and GUI surfaces.
Solution
- Define allowed WAM source policy for built-in, trusted remote, and custom URLs.
- Add allowlist and optional integrity/hash metadata for remote modules.
- Sandbox plugin GUI rendering where feasible.
- Add warning/confirmation UX for untrusted custom plugin URLs.
- Document the trust model.
Verification
- Add tests for blocked protocols, untrusted origins, and allowlisted URLs.
- Add E2E/manual QA for custom URL warning and GUI isolation.
- Review CSP and Tauri/webview implications.
Files to Touch
src/services/wam/WAMHost.tssrc/components/plugins/WAMPluginBrowser.tsxsrc/components/plugins/WAMPluginPanel.tsxsrc/types/wam.tsdocs/security/*
Problem
Custom HTTPS WAM URLs are dynamically imported into the app context, and plugin GUIs are appended directly into the DOM. Protocol validation blocks obvious
javascript:/data:URLs, but there is no allowlist, integrity check, permission boundary, or iframe/sandbox isolation.Root Cause
WAM support prioritized functionality first and did not complete a browser security boundary for remote plugin code and GUI surfaces.
Solution
Verification
Files to Touch
src/services/wam/WAMHost.tssrc/components/plugins/WAMPluginBrowser.tsxsrc/components/plugins/WAMPluginPanel.tsxsrc/types/wam.tsdocs/security/*