On Tuesday, February 17, 2015 at 4:13:43 PM UTC+1, Anders Rundgren wrote: > On Tuesday, February 17, 2015 at 2:17:18 PM UTC+1, Benjamin Francis wrote: > > On 17 February 2015 at 05:32, Anders Rundgren <[email protected]> > > wrote: > > <iframe trustedapp="com.example.PaymentRequest" ... ></iframe> > > > > > > > > <iframe mozapp="app://myapp.com" ...></iframe> > > > > > > > > > > This code should appear to the browser as coming from a virtual domain. > > Interesting! If the docs are correct this is currently only available for > Firefox OS. > > > > > > > > > app://myapp.com > > > > > > Unfortunately it turns out that it isn't safe to embed trusted code inside > > untrusted code in this way because it provides a vector for clickjacking > > attacks. > > That's indeed a drawback although the primary motivation behind my take on > trusted web application is protecting the platform against malicious server > code. > > Protecting users against malicious servers seems like a more generic issue. > > I guess it is technically very difficult forbidding alien windows covering > the trusted iframe? > > Anders
A more complete description: http://webpki.org/papers/trusted-web-apps.pdf _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
