I want web apps to be able to control child same-origin realms

I want web apps to be able to register code that executes first in every new same-origin realm created within the app — such as iframes, popups, or workers — so that security and integrity protections applied to the top-level realm also apply automatically to all child realms.

Browser-based security tools rely on techniques like monkey patching — replacing or wrapping built-in APIs — to enforce runtime protections. The problem is that these patches apply only to the realm in which they are executed. When an attacker (or untrusted third-party code) creates a new same-origin iframe, a brand-new, unpatched realm is available, and any protections applied to the top-level window do not carry over. This makes it straightforward to bypass protections entirely by routing execution through a freshly created child realm.

Browser extensions already have access to a content_scripts.run_at mechanism that lets extension code run before page code in every frame. Web apps should have an analogous capability scoped to their own origin — the ability to declare initialization code that the browser guarantees will execute before any other script in every new same-origin realm the app creates.

This would enable developers of security-sensitive applications — such as crypto wallets, no-code platforms, and sandboxed editors — to:

• Enforce consistent API policies across all realms without relying on fragile userland shims.
• Prevent realm-hopping attacks where malicious code obtains clean, unpatched references to built-ins by constructing new realms.
• Reduce complexity by eliminating the need to manually re-apply protections inside every dynamically created iframe.

A JavaScript shim called Snow already demonstrates this pattern in userland. A first-class browser API would make this reliable and performant without requiring fragile MutationObserver tricks.