Lantern should not add a MessageChannel-based app bridge right now, because the current dedicated runtime-origin model already provides a clean boundary for reviewed apps. This issue should remain a design note for a future architecture where Lantern hosts the app inside a parent-controlled iframe shell, similar to Datasette Apps. If that model is introduced later, the bridge should use explicit message passing between the parent host and sandboxed child iframe, with origin checks, typed request/response envelopes, capability enforcement on the host side, and no ambient credentials inside the app frame. Until that architectural shift happens, window.GatewayApp plus runtime-origin isolation remains the simpler path.
Lantern should not add a MessageChannel-based app bridge right now, because the current dedicated runtime-origin model already provides a clean boundary for reviewed apps. This issue should remain a design note for a future architecture where Lantern hosts the app inside a parent-controlled iframe shell, similar to Datasette Apps. If that model is introduced later, the bridge should use explicit message passing between the parent host and sandboxed child iframe, with origin checks, typed request/response envelopes, capability enforcement on the host side, and no ambient credentials inside the app frame. Until that architectural shift happens,
window.GatewayAppplus runtime-origin isolation remains the simpler path.