On 20/12/12 10:12, Jonas Sicking wrote:
Sorry to have dropped this thread.
Requiring SSL wouldn't really help us anyway. The problem we are
trying to protect against with signing is if the web server gets
hacked. Web servers are generally fairly complex and are hard to
protect. We should create an application update mechanism where the
ability to hack a webserver is all that stands between the attacker,
and the ability to automatically get millions of people to
automatically get updated to applications that are running malicious
code.
I assume there's a "not" missing in there somewhere? :-)
The difference there is that feed:// was just a synonym for http://.
Loading from feed:// was exactly the same as loading from http://.
The same is not true for app://. Loading from app:// means doing
something entirely different from loading from http://. This was the
conclusion the webapps WG and even the TAG came to when they created
the widget protocol.
app:// is much more like file://. But even file:// isn't a synonym for
app:// since the latter doesn't have URLs that are relative to the
local filesystem.
OK, that makes sense.
Gerv
_______________________________________________
dev-webapps mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-webapps
