On Aug 6, 2012, at 9:23 PM, Jason Smith wrote: > Hi Lucas, > > Responses below: > > (a) I think will be solved by > https://github.com/mozilla-b2g/gaia/issues/2831. Desktop has already > implemented this. Android is currently working on support for that as well. >
I think that github issue seems like a reasonable solution from a security standpoint. > (b) Back in the day in desktop discussions, I think the conclusion we came to > is that falls on the fault of the web developer if they make this mistake, > not us. > > Also - A while back when we implemented a rule in desktop saying that "all > links that go outside of the app origin content go to the browser" we > received backlash from some of the app developers, as they wanted to be able > to use off-origin authentication in their web application. > > So I guess I have this question - Can a web developer make use of off-origin > authentication (e.g. google accounts, mozilla persona) in a packaged > application? Or generally - would there ever be a need to support off-origin > content within a web app such as auth mentioned before? Other platforms with native apps seems to have solved this by loading a separate window that the user authenticates through, then which returns control to the app when complete. Seems like we could support the same pattern? > One last note - In desktop/android (soon with Firefox OS support) as well we > go to the browser with general untrusted web apps when a target=blank is > clicked. Does that rule apply to packaged apps as well? That seems like reasonable behavior for packaged apps as well. Thanks! Lucas. _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
