On Tue, May 12, 2015 at 9:14 PM, Tim Guan-tin Chien <[email protected]> wrote: > On Wed, May 13, 2015 at 7:49 AM, Jonas Sicking <[email protected]> wrote: >> On Tue, May 12, 2015 at 4:47 PM, Fabrice Desré <[email protected]> wrote: >>> On 05/12/2015 04:30 PM, Tim Guan-tin Chien wrote: >>>> Agree with the proposition too but I don't see the link between this >>>> goal and the New Security Model. If trusted contents are still >>>> delivered in packages, which is distinctively different from the rest >>>> of the web? >>> >>> Look at packages like a transport layer. The important part is to have >>> real public uris for these pages. There are "details" around the >>> navigation from unprivileged to privileged content (and vice versa) that >>> are yet to really be figured out. >> >> Exactly. Packages are not that different from http/2. In both >> scenarios the client effectively download multiple HTTP URLs using a >> single network request. It's just that packages force those URLs to >> live in the same directory, and enables us to attach some metadata to >> that directory. >> >> / Jonas > > Right, the word "package" is not my topmost concern. > > My concern has always been around how signing is coupled with offline > capabilities.
I agree that that's not good. I also agree that we're currently coupling signing and packages more than necessary. Our only packaging flow involves installs and people generally assume that installs means marketplace. To make matters worse our marketplace signs all packages, packages that for non-privileged content which doesn't need signing. Though technically it's already quite possible for someone to create offlineable content by self hosting an unsigned package, and then calling mozApps.install() themselves. So we're not actually coupling offline and signing right now. But I don't believe anyone is taking advantage of that, which isn't surprising. > I would like to see a security model where we only add a signature > layer on top of the current web. I do think packages can be as useful > as HTTP/2 or can be extended to affect http caching, but such feature > offerings to the Web should be decoupled from the security model, if > possible. We will absolutely do that. The way we're going to implement signed content is by *first* implementing a packaging model that is 100% independent of signing. That work is already well under way and will land soon. This package model will not rely on any installations and I believe it will fit very well with how the web works today. In fact, I think it will work substantially better with the web as it exists today than the current W3C proposal for packages. My hope is to standardize this piece and make it available to the web at large. The second step will be to add signing support to that package implementation. All that said, I don't think there's such a thing as "only add signature layer on top of the current web". Any time that you require signing of web content you are asking the web developer to dramatically change how they do development. They can no longer dynamically generate HTML on the server and they can no longer simply deploy a new version by uploading it to their website. But I definitely agree that we should give developers the same offline capabilities as signed content has, even if they do not want to sign their content. That is the plan. / Jonas _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
