On Mon, Jul 9, 2012 at 12:09 PM, Antonio Manuel Amaya Calvo <[email protected]> wrote: >>> To make things more similar to how web pages normally work, we could >>> allow >>> pages from app://developer.com/ to make network requests to >>> http://developer.com. I.e. the app would be allowed to open >>> XMLHttpRequest >>> connections to http://developer.com/ <http://developer.com/.>myapi.cgi >>> without >>> requesting any special privileges. Likewise <img>s and <video>s loaded >>> from >>> http://developer.com would not be considered cross-origin for example for >>> the purposes of tainting when drawn into a <canvas>. This way most of the >>> code which would work for a website would work in a packaged app, except >>> that the packaged app would have to ensure to use absolute URLs when >>> wanting to connect to the website. > > > I agree with everything before this paragraph but... the whole point of > reviewing the application in the first place is to ensure that the > application the user is about to trust is... well, trustworthy, for lack > of a better word. And the users are going to trust the application > because they think that somebody has reviewed the application. And all > of this goes out of the window if we let the application change what it > shows to the user without any kind of review. If, going for the easy > example here, the application has a login page with an image background, > the developer --or anyone that compromises his server-- can change that > log page to resemble whatever page they wish. > > That's no different to any other page on the internet, you could say, > and it's true. But this applications are going to have access to a wide > range of abilities, because they're trusted. And even if sometime a > 'trusted UI' is provided (something that informs the user that hey, this > application you're interacting with is trusted) they'll be marked as > trusted. So they should behave better than a random web page you found > on the internet. > > So for the time being, and unless we can figure a way to add untrusted > content to a trusted base without losing "trustiness", I would say that > for an application to be trusted all its content has to be trusted... > and that if we allow external content (which might make sense for a > video player, for example) then the places where external content can be > shown are monitored and factored in the application review.
We will use CSP to limit where you can load things like scripts and stylesheets from. This ensures that any code that the app runs will be code that was reviewed by the store, and that the app generally looks as was originally intended. Like Lucas points out, almost any application today uses network connectivity. That means that they will load data which are not part of the reviewed package. This can be for things like loading and storing high-scores for a game, viewing saved pictures in a photo sharing site etc. The idea described above is to allow apps to have a "home website" which it can connect to without requesting any additional permissions. This enables websites to more easily write applications which talk to a home server, something which is a central feature of web apps today. Also note that even if we didn't have this feature, the web today allows making XMLHttpRequest connections to any website as long as that website supports CORS. So removing the above described feature doesn't actually mean that websites won't be able to load untrusted data. It would just mean that they would have to do more work server-side to do so, which doesn't actually help prevent the types of attacks we are trying to protect against. / Jonas _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
