Concepts
Security model
Why JDesk enforces its trust boundary in Java.
The single trust boundary is the Java-side check on every invoke — the frontend is never trusted to enforce anything.
- Deny by default — every command is classified at compile time; the capability engine evaluates before your code runs.
- Origin & navigation locking — production navigation is restricted to the app origin; popups are denied.
- Strict CSP — inline scripts and
evalare blocked. - Asset path-traversal defenses — paths are rejected, not repaired.
- Error redaction — handler exceptions become
INTERNAL_ERROR; detail stays in Java logs.