> I don't understand these categories, could you explain them a bit further?
Lucas can correct me, but AIUI this is a model that Lucas has developed for thinking about trust and apps. These categories may not have concrete analogs in B2G. There was previously a lot of talk about somehow requiring that "certified" apps be somehow restricted from executing arbitrary code, so we could verify that they're doing what they say they're doing. But that discussion has been put on hold afaict. > What is the difference between trusted and certified and what process and > limitations do they require? > > Is there a difference in security model between regular web content and > installed apps? > > If the app is installed directly from a web app's own server (not via a > third party app store), can it never get access to this API, even with the > user's explicit permission? In other words, these are good questions, but they're general questions about this way of thinking about web app security, and aren't specific to the browser API and this thread. If we're going to have this discussion, I'd appreciate if we did so separately. -Justin _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
