To answer your earlier question, UUIDs are unique to the app, not to the device. The UUID is generated when you (or more realistically, Firefox Marketplace) creates *and* signs a packaged app. Your app would thus theoretically have the same app:// URL on all devices but I don't know how well you can trust this.
A bit of info is here: https://developer.mozilla.org/en-US/docs/Apps/Packaged_apps#Differences_from_hosted_apps I don't know what happens if an unprivileged packaged app tries to copy a UUID. Also, I don't know what happens when you try to install a packaged app that is unsigned or is signed by an unknown party. These are all good questions to know answers to :) I believe the intention is to disallow unsigned packaged apps in the future. On Mar 13, 2013, at 5:39 AM, Arnaud Didry <[email protected]> wrote: > Hi Jordona, > > That's what I understood. My problem is that doing > window.opener.postMessage(result, "*") [1] is a possible security threat IMO . > > Someone could use my oauth client_id to use the api on my behalf and the > users authorizations that come along. > > For example, if the contact app in gaia didn't retrict the postMessage to > 'app://communications.gaiamobile.org' [2], I suppose could do this : > > * Use the mozilla client_id found here [3] > * Create a webapp which open a new window to the same oauth provider that the > contact app (with exactly the same params) > * If the user hasn't already accepted the Mozilla app, the Oauth provider > will ask "Do you authorize Mozilla to access to your data ?" > * If the user click "Yes" or if he has already authorized the app, The OAuth > provider will redirect to the mozilla server which will passe the tokens to > window.opener, the malicious app, without restriction. > * Use the tokens to access user contacts. > > I don't have a lot of experience with oauth, I am maybe missing something, > but I am stuck for the moment. I understand this to be a security risk as well and it has come up as a question for me in different contexts before. I'd like to know how to protect packaged apps for this case. The problem is that if a packaged app can open a new window (or iframe) and retrieve sensitive info via postMessage then *any* packaged app can do the same thing. Hmm, it seems dangerous that the Contacts app is passing back an oauth token via postMessage. Unless I'm missing something, any other packaged app could request the same token. The user would have to explicitly grant access of course. So maybe this is just a phishing attack scenario. > > Cheers > > [1] > https://github.com/arcturus/postmessageitor/blob/master/postmessage.html#L20 > [2] > https://github.com/mozilla-b2g/gaia/blob/master/apps/communications/contacts/oauth2/js/oauth20.js#L122 > [3] > https://github.com/mozilla-b2g/gaia/blob/master/apps/communications/contacts/oauth2/js/parameters.js#L45 > > > > Le mercredi 13 mars 2013 10:32:50 UTC+1, Jordano Francisco (UK) a écrit : >> Hi Arnaud, >> >> >> >> On 13/03/2013 00:46, "Arnaud Didry" <[email protected]> wrote: >> >> >> >>> In the case of packaged app, we can't restrict the diffusion to a >> >>> specific application because apps uri seems to be unique for each device. >> >>> Am I wrong ? I could add the app uuid alongside the redirect_uri param to >> >>> use it later in postMessage but it would still allows anyone to use my >> >>> API client id in a malicious webapp. >> >>> >> >>> Having a uri like app://{store_id}, or better, an app domain >> >>> (app://developer.com) would solve the problem. I didn't find any >> >>> reference to this feature in the roadmap or in bugzilla. Is this planned >> >>> ? Am I missing something ? >> >>> >> >>> Beside this oauth problem, having a known uri would be great for a >> >>> developer to help him identify requests coming from his app by looking at >> >>> the referer. It would also remove the need to have a server in the >> >>> authentication flow (provided that the oauth provider allows the app:// >> >>> scheme in the redirect uri). >> >> >> >> The use of the postMessage trick is cause oauth service providers (like >> >> Gmail, Facebook, etc) don't recognise the protocol 'app://' as a valid >> >> redirection URL. So what we do is open in a new window and we point the >> >> redirection url to a host that we control. That host the only thing it >> >> does is get all the variables passed and send them via postMessage to the >> >> opener window. >> >> >> >> >> >> The result is having all the variables that the service provider sends in >> >> your packaged app. >> >> >> >> There is an example of that service in this open source project: >> >> >> >> https://github.com/arcturus/postmessageitor >> >> >> >> >> >> Cheers! >> >> F. >> >> >> >> >> >> This electronic message contains information from Telefonica UK, Telefonica >> Europe or Telefonica Digital which may be privileged or confidential. The >> information is intended to be for the use of the individual(s) or entity >> named above. If you are not the intended recipient be aware that any >> disclosure, copying distribution or use of the contents of this information >> is prohibited. If you have received this electronic message in error, please >> notify us by telephone or email. >> >> >> >> >> >> Switchboard: +44 (0)113 272 2000 >> >> Email: [email protected] >> >> >> >> Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered >> in England and Wales: 1743099. VAT number: GB 778 6037 85 >> >> Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered >> in England and Wales: 05310128. VAT number: GB 778 6037 85 >> >> Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX >> Registered in England and Wales: 7884976. VAT number: GB 778 6037 85 > > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
