I’m focusing on origin iFrame isolation combined with OPFS (Origin Private File System), which is now a baseline capability in modern browsers: https://developer.mozilla.org/en-US/docs/Web/API/File_System_API/Origin_private_file_system. OPFS is gated behind Secure Contexts https://www.w3.org/TR/secure-contexts/, ensuring that these APIs are only available in environments served over HTTPS or equivalent.
Unlike IndexedDB, OPFS avoids metadata leakage. With IndexedDB, even if the stored data itself is protected, attackers can sometimes infer information from exposed metadata such as database names, schema details, or object store structures. This can reveal sensitive application logic or usage patterns. OPFS, by contrast, provides a simpler, file-like interface that doesn’t expose this kind of structural metadata, reducing the attack surface.
OPFS is also faster because it operates a layer closer to the file system, making it more efficient for handling large binary data and streaming workloads. This performance advantage is particularly useful for applications that need to persist signed content. For example, SQLite can be used on top of OPFS to capture signed posts in a vault for backup. Since these posts are addressable by their SHA‑256 hash, they can be stored and retrieved deterministically, ensuring both integrity and verifiability. Here is some research on how notion use SQLite and WASM to speed up their project. https://www.notion.com/blog/how-we-sped-up-notion-in-the-browser-with-wasm-sqlite
Here is also some documentation from Google for origin policy related info https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system
Coming from the SolidProject.org ecosystem, I began this research before discovering Nostr: https://mfosterio.github.io/ldux-local/ . It was intended for research only. I shifted gears when I discovered Nostr and have been focusing on wrapping my head around NFC, ISO 7812, NDEF, NTAG424 DNA, OpenPGP, GnuPG KeyGrips, and related technologies. WebWorkers and iFrame isolation provide secure, origin-bound contexts that enforce browser-level security boundaries, aligning with the Secure Contexts standard, but when you add OPFS, it’s like putting that model on steroids.
I look forward to watching your project. Great design kick off and this is heading in the right direction.
mfoster.io / mfostr
npub1ma…6p9v4
2025-12-17 18:43:38 UTC
in reply to naddr1qq…xqg4
Author Public Key
npub1maee5ny3mc52km3sl405e2d08aupvml9fqe2dwq60qktlsyfpshse6p9v4Published at
2025-12-17 18:43:38 UTCEvent JSON
{
"id": "7581252b5b983e57afe68377a696e23896d889980cdd469191e0cb6e69fc0d1c",
"pubkey": "df739a4c91de28ab6e30fd5f4ca9af3f78166fe54832a6b81a782cbfc0890c2f",
"created_at": 1765997018,
"kind": 1,
"tags": [
[
"a",
"30023:b7b1382ea9bd7b2420eed4db8d8333aa664c7bb7bee2208554a31a6074635e6c:nostrpass-decentralized-identity",
"",
"root"
],
[
"p",
"b7b1382ea9bd7b2420eed4db8d8333aa664c7bb7bee2208554a31a6074635e6c",
"",
"mention"
]
],
"content": "I’m focusing on origin iFrame isolation combined with OPFS (Origin Private File System), which is now a baseline capability in modern browsers: https://developer.mozilla.org/en-US/docs/Web/API/File_System_API/Origin_private_file_system. OPFS is gated behind Secure Contexts https://www.w3.org/TR/secure-contexts/, ensuring that these APIs are only available in environments served over HTTPS or equivalent.\n\nUnlike IndexedDB, OPFS avoids metadata leakage. With IndexedDB, even if the stored data itself is protected, attackers can sometimes infer information from exposed metadata such as database names, schema details, or object store structures. This can reveal sensitive application logic or usage patterns. OPFS, by contrast, provides a simpler, file-like interface that doesn’t expose this kind of structural metadata, reducing the attack surface.\n\nOPFS is also faster because it operates a layer closer to the file system, making it more efficient for handling large binary data and streaming workloads. This performance advantage is particularly useful for applications that need to persist signed content. For example, SQLite can be used on top of OPFS to capture signed posts in a vault for backup. Since these posts are addressable by their SHA‑256 hash, they can be stored and retrieved deterministically, ensuring both integrity and verifiability. Here is some research on how notion use SQLite and WASM to speed up their project. https://www.notion.com/blog/how-we-sped-up-notion-in-the-browser-with-wasm-sqlite\n\nHere is also some documentation from Google for origin policy related info https://developer.chrome.com/blog/sqlite-wasm-in-the-browser-backed-by-the-origin-private-file-system\n\nComing from the SolidProject.org ecosystem, I began this research before discovering Nostr: https://mfosterio.github.io/ldux-local/ . It was intended for research only. I shifted gears when I discovered Nostr and have been focusing on wrapping my head around NFC, ISO 7812, NDEF, NTAG424 DNA, OpenPGP, GnuPG KeyGrips, and related technologies. WebWorkers and iFrame isolation provide secure, origin-bound contexts that enforce browser-level security boundaries, aligning with the Secure Contexts standard, but when you add OPFS, it’s like putting that model on steroids.\n\nI look forward to watching your project. Great design kick off and this is heading in the right direction.",
"sig": "d9a97a1cc9b3a803a0c7adf00d9ea949e7b25f64805c875a48dce4759a16da445f2283df1ff9ea9dafa5e53b29eb88dbbc1ff405f6c8ad252ac4bd474227338a"
}