> To make things more similar to how web pages normally work, we could allow > pages from app://developer.com/ to make network requests to > http://developer.com. I.e. the app would be allowed to open XMLHttpRequest > connections to http://developer.com/ <http://developer.com/.>myapi.cgi without > requesting any special privileges. Likewise <img>s and <video>s loaded from > http://developer.com would not be considered cross-origin for example for > the purposes of tainting when drawn into a <canvas>.
Does https work as well? I'm not sure about the security implications of that, but I'd be concerned about a system which encourages (or even allows!) trusted apps to use unencrypted HTTP. > All in all this definitely means that trusted apps won't be as webby as > normal apps. One thing which would obviate much of my trepidation about this would be to provide a way to load an app via a URL. That is, if I visit "http://foo.com/my-app.zip";, I'll get a scary message (like we do now for invalid certs), and can, by clicking through, "run" this trusted app. This is important for developers, if nothing else. I could imagine this evolving into: If I navigate to that zip and discover that it's signed by an app store I trust, I don't have to click through the scary error message. But I think that's a v2 feature. -Justin _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
