Admission
checking certificate…
Enforced policy (browser-enforced)
—
Client-side verification (SubtleCrypto)
the server's admission is one opinion; this is your browser's independent verdict.
App admissions (at scale)
running the discriminator on three apps…
Developer submission view
simulating a developer's submission flow…
Pre-ship catch (battery)
running the adversarial battery…
Transparency log (auditable)
loading log state…
Runtime status
RENDERING
no revocation
multiple visitors share state on the public demo; reset before/after your walk
What just happened
Core proof
1 · certificate verified cheaply (Tier B)
2 · app rendered under the certified CSP
3 · undeclared egress blocked by the browser
4 · admission revoked, logged, host stopped
Strengthening evidence
declared external origin allowed (no violation)
The app runs in a nested frame whose CSP is exactly what the certificate carried. The host added only its own control directives; it cannot grant the app more than the certificate did.