On 25/04/13 17:34, Ben Adida wrote:
> Potch has a great proposal: let apps declare a marketplace in their
> manifest. If apps are served from and signed by the marketplace, then
> any origin is okay (after review.) If apps are self-hosted, then the
> only origin allowed is that of the hosting site.
On Fri, 26 Apr 2013 09:31:30 -0700, Ben Adida wrote:
>> 3. I recall talking with Fabrice that this was a non-trivial amount of
>> work for fixing this,
>
> I'm having trouble seeing how that is. We can stage the feature in a
> couple of ways, first by letting marketplace packaged apps claim an
>
On 4/25/13 10:34 PM, jsmith.mozi...@gmail.com wrote:
1. It's way too late for this work for v1.01 (i.e. v1.01 OOS)
I want to emphasize that the current architecture is not just
inconvenient, it breaks a ton of things, including all login solutions
for packaged apps. This is a major problem
On Fri, Apr 26, 2013 at 2:33 PM, Ben Adida wrote:
> On 4/26/13 3:02 AM, Anne van Kesteren wrote:
>> What is origin used for? Can Persona not use object-capabilities instead?
>
> Do you mean that we should completely revamp the Persona protocol, including
> assertions to an origin and the way we pr
On 4/26/13 3:02 AM, Anne van Kesteren wrote:
What is origin used for? Can Persona not use object-capabilities instead?
Do you mean that we should completely revamp the Persona protocol,
including assertions to an origin and the way we present the login UI to
users, because packaged apps don'
On Fri, Apr 26, 2013 at 1:34 AM, Ben Adida wrote:
> Currently, packaged apps run in an origin that is newly minted for each
> device installation, effectively a GUID that differs from device to device.
> This works up until the point where the rest of the Web expects a stable
> origin across devic
>
> Can we converge on a solution here ASAP? This is now holding up making
>
> Marketplace a packaged app, and I suspect it will bite us again soon.
>
>
>
> -Ben
I think everyone on that thread wants to come up with a solution to fix this.
However, I think there's just outstanding debate ma
On 4/25/13 5:45 PM, Justin Lebar wrote:
If apps are served from and signed by the marketplace, then any origin is okay
(after
review.)
I know that we rely on code review for a lot of security assurance
questions, but it seems to me that allowing /any origin/ opens us up
to attacks needlessly.
> If apps are served from and signed by the marketplace, then any origin is
> okay (after
> review.)
I know that we rely on code review for a lot of security assurance
questions, but it seems to me that allowing /any origin/ opens us up
to attacks needlessly.
Could we allow any out of a whitelis
Hi folks,
I want to raise what I believe is a relatively urgent issue with
packaged apps and web origins:
https://bugzilla.mozilla.org/show_bug.cgi?id=852720
Currently, packaged apps run in an origin that is newly minted for each
device installation, effectively a GUID that differs from d
10 matches
Mail list logo
