On Jul 10, 2012, at 1:54 AM, Antonio Manuel Amaya Calvo wrote: > If I were happy to accept risks that the developer takes (or to trust > unknown or known developers) then I would not need the concept of > 'trusted apps'. Just installed apps would suffice. > > And I think that all that's a significant part of the user interface > should be restricted to local content. That is, content that's installed > with the application, that has been examined by the reviewer, and that > requires a new certification/signature cycle to be changed. I don't want > it downloaded from anywhere on the Internet and that includes the > developer server. After all, we're certifying applications because we > don't trust developers in the first place.
The security model cannot, and will not, remove all risk from trusted apps. Especially around spoofing. That is why trusted apps have a review process. But preventing background images changes is not feasible programmatically without crazy tainting… how do you tell where the image came from? Its trivial to launder origins. Many apps may stream the background image for a server for theming purposes. For example, if I want to build a calendar app that loads images from Flickr based upon some set of tags, why should that be prohibited? This is a restriction that Firefox itself doesn't enforce (hence http://www.getpersonas.com/en-US/). > > What the trusted part adds to this attack is context. A trusted app gets > access to more interesting privileges and thus the attacker can have > more context information about when to execute the attack. Not to > mention that I used to want a trusted UI, if you remember. Something > that informed the user when he was interacting with a window that the > owner application for that window was trusted or not. Now, if the UI is > hijackable, that makes that idea (the trusted UI) into a horrible one. Trusted UI != all interactions are trustworthy. Far from it. Trusted UI == specific interactions are trustworthy, and can be differentiated from all other interactions. > In any case, and from Jonas' answer I think we basically agree that the > UI is part of the application, that includes the images on the UI, and > thus they have to be controlled. > I didn't get that from his email. :) Lucas. _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
