Host-supplied fetch implementation. Receives the URL, a partial init
(method, headers, signal), and must return a Response-compatible promise.
The host's fetch is the ONLY place to implement redirect limits, MIME
sniffing, SVG rasterization, private-IP / SSRF blocking, etc.
This service does NOT filter: it proxies transparently.
The URL from the resource.bytes request
Method, headers (from napplet), and an AbortSignal
Returns the list of allowed fetch origins for the given napplet identity.
Called on every resource.bytes request — must be synchronous and fast.
Host-supplied grant source (e.g. a static per-dTag allowlist map, or any other host-controlled policy). Returns an empty array to deny all origins.
H-03 prevention: REQUIRED from day one — factory throws on construction if omitted.
The napplet's d-tag (from session registry)
The napplet's aggregate hash (from session registry)
Returns true if origin is present in grants (the list returned by
getConnectGrants for the napplet's dTag + aggregateHash).
The reference implementation is simply grants.includes(origin). Host apps
may provide normalized-origin comparison if needed.
Parsed origin of the requested URL (scheme + host + port)
Readonly list from getConnectGrants for this napplet identity
Resolve a windowId to the napplet's identity (dTag + aggregateHash). Returns null if the window is not in the session registry.
Typically wraps sessionRegistry.getEntryByWindowId(windowId).
The iframe window identifier
Options for
createResourceService(options-as-bridge per v1.6 Decision 18).ALL FOUR fields are required. The factory throws at construction if any is missing — H-03 prevention: the grants source (
getConnectGrants) MUST be wired from day one so there is no window where resource requests bypass the grant check.See
PITFALLS.md:228 (H-03) — grants-source coupling must be present at construction