On 4/25/13 5:45 PM, Justin Lebar wrote:
If apps are served from and signed by the marketplace, then any origin is okay
(after
review.)
I know that we rely on code review for a lot of security assurance
questions, but it seems to me that allowing /any origin/ opens us up
to attacks needlessly.
Could we allow any out of a whitelist of origins specified in the
manifest, instead?
Sorry for not being clear, that's exactly what I meant: the manifest
would give one origin, marketplace reviewers would approve it, and the
app would then gain that one origin. No need for more than 1.
-Ben
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
