> If apps are served from and signed by the marketplace, then any origin is > okay (after > review.)
I know that we rely on code review for a lot of security assurance questions, but it seems to me that allowing /any origin/ opens us up to attacks needlessly. Could we allow any out of a whitelist of origins specified in the manifest, instead? On Thu, Apr 25, 2013 at 8:34 PM, Ben Adida <[email protected]> wrote: > > Hi folks, > > I want to raise what I believe is a relatively urgent issue with packaged > apps and web origins: > > https://bugzilla.mozilla.org/show_bug.cgi?id=852720 > > Currently, packaged apps run in an origin that is newly minted for each > device installation, effectively a GUID that differs from device to device. > This works up until the point where the rest of the Web expects a stable > origin across devices, e.g. OAuth and OpenID flows, and Persona. Since > origins are so critical to the Web, I expect to see many more failures over > time. > > Can we fix this? > > Potch has a great proposal: let apps declare a marketplace in their > manifest. If apps are served from and signed by the marketplace, then any > origin is okay (after review.) If apps are self-hosted, then the only origin > allowed is that of the hosting site. > > I suggested a tweak to this: if a packaged app is served from > https://example.com, then it can set an origin of app://example.com, so that > it is stable but also different from the actual hosted origin. > > Can we converge on a solution here ASAP? This is now holding up making > Marketplace a packaged app, and I suspect it will bite us again soon. > > -Ben > _______________________________________________ > dev-platform mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
