Hi Paul, This sounds great to me. Do you have a view on how the signing should work and how the scope to which a permission is granted should be defined?
When can we start creating these new signed apps? :) Ben On 1 June 2015 at 11:03, Paul Theriault <[email protected]> wrote: > All, > > I’ve published a draft of the v3 model on the wiki now. > > https://wiki.mozilla.org/Security/B2G/PermissionReview/New_permission_model > > There are still a lot of open questions, and this will evolve as we > experiment with the new gaia architecture, pinning etc but this is my > current approach. Overall what I’m aiming for here is flexibility - given > the amount of change we are proposing, I want the permission model to be > configurable rather than hardcoded so its easier to customise. This might > even be something we want to expose as customisation option. (more > advanced users might want more control over permission, instead of cautious > defaults) > > Still very keen for input - please speak up! :) > > Thanks, > Paul > > > > > On 7 May 2015, at 2:36 pm, Paul Theriault <[email protected]> wrote: > > As we are getting closer to finalising the v3 permission mode, I wanted to > share my current thoughts on a revised permission model for Firefox OS. > > My main goals in this effort are mainly: > > * simplify the permission model for users and developers > * move the FxOS permission model more in line with desktop & mobile (i.e. > for regular web content) > * Provide a permission model that supports the new security model [1] > > I wanted to outline my current thinking below, and gather feedback. The > key change I’m proposing is to more clearly distinguish between permissions > available to web content and those which are limited to privileged/signed > content (or whatever we call it in the new model). For the web ones, lets > remove the differences between FxOS & Firefox Deskop/Mobile. For the > privileged permissions, they will largely be the same as currently though > we do need to figure out how to safely implement “linkable” privileged apps. > > == Web Content/Webapps - “Web Permissions” == > * We should harmonise the permission granting behaviour on Firefox OS with > desktop and mobile. > * Example permissions: microphone, geolocation, camera, alarms, push, > storage, notifications (i.e. all the things you can already request from > web pages) > * Remove requirement for apps to declare these permissions, we don’t use > it for anything meaningful and it means less in a linkable app world > * Most permissions granted by prompt, except for those granted implicitly > by install/pinning (e.g. alarms, storage) > * Make the prompting UX closer to desktop & mobile (no more modal prompts > that force users into bad decisions) > * Implement an “about:permissions” equivalent for managing permissions > that works for websites, not just apps: > ** we need a permission management interface that doesn’t depend on app > permission declarations > ** we need to support managing permissions for websites as well as apps > > == Signed & Pre-installed content - “Privileged Permissions” == > * permissions will still be declared, and the content reviewed by > marketplace & signed > * there’s no install step though, so the apps just load except no longer > just granting implicit permissions > * restrict the apps entry points by default (i.e. you can only link to > predeclared entry points) - perhaps something like the W3C Entry Points > Restriction spec [2] > * for explicit permissions (prompted ones), they are granted as normal, > however I think we need to to improve the prompting UX to differentiate > these more powerful APIs from regular web permissions. I’m imagine a > specific visual metaphors for “data” permissions (contacts, photos, videos, > music), and maybe something more like a “per-app” toggle for device > permissions like fmradio,nfc & bluetooth. (i.e. you “turn on” bluetooth on > a per-app basis, in addition to a system-wide). I’m interested to see what > people can come up with here. > * for implicit permissions (hidden permissions, previously granted upon > install): we can’t just grant these upon load (its too dangerous, at least > for most apps), so we will need some other mechanism. I imagine this will > be a combination of approaches: > ** follow a similar mechanism to what we do for alarms & notifications > (that is, grant permissions only after pinning the app) > ** having an extended verification review program for apps which request > certain more-sensitive permissions (especially those which were previously > certified permissions) > * we will also need strong blocking/revocation mechanism to revoke apps > signed by marketplace that are subsequently found to be vulnerable/malicious > > I’m writing up a more detailed proposal at the moment, but I wanted to > circulate a summary first just to garner initial feedback. > > Thanks, > Paul > > > [1] https://wiki.mozilla.org/FirefoxOS/New_security_model > [2] https://w3c.github.io/webappsec/specs/epr/ > > > > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g > >
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
