On Mon, Jul 9, 2012 at 11:48 AM, Justin Lebar <[email protected]> wrote: >> To make things more similar to how web pages normally work, we could allow >> pages from app://developer.com/ to make network requests to >> http://developer.com. I.e. the app would be allowed to open XMLHttpRequest >> connections to http://developer.com/ <http://developer.com/.>myapi.cgi >> without >> requesting any special privileges. Likewise <img>s and <video>s loaded from >> http://developer.com would not be considered cross-origin for example for >> the purposes of tainting when drawn into a <canvas>. > > Does https work as well? I'm not sure about the security implications > of that, but I'd be concerned about a system which encourages (or even > allows!) trusted apps to use unencrypted HTTP.
I think each app should have a "home origin" which is an origin that it can connect to without requesting additional privileges. This can be a http, https, ftp, of futurecoolprotocol. Maybe we could even require that the protocol is encrypted, practically speaking limiting it to https. But if we want to do that I think we should have a good reason to. >> All in all this definitely means that trusted apps won't be as webby as >> normal apps. > > One thing which would obviate much of my trepidation about this would > be to provide a way to load an app via a URL. That is, if I visit > "http://foo.com/my-app.zip";, I'll get a scary message (like we do now > for invalid certs), and can, by clicking through, "run" this trusted > app. > > This is important for developers, if nothing else. > > I could imagine this evolving into: If I navigate to that zip and > discover that it's signed by an app store I trust, I don't have to > click through the scary error message. But I think that's a v2 > feature. Agreed. I definitely think that we should allow something like that. And like you say, I don't think it's a v1 feature. / Jonas _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
