On Tue, Jun 17, 2014 at 2:08 PM, Tomasz Swierczek <[email protected]> wrote: > >> No, I think it is better to treat the extension process as an untrusted >> part of the app (because then we can load untrusted native extensions >> into it) and rely on the system to enforce privilege checks. > > I agree on this - since extensions process is per app, I believe its part of > the app and will run with app's Smack label (not sure though). We shouldn't > trust this.
An extension _instance_ is a process per app, started by a renderer process (which itself is started by the browser process, but it depends on many things whether do some pages share a renderer process or each has its own [1], [2] - by default this latter). But the extension instance is not necessarily part of the app, as it is a separate process and communicates via IPC with the renderer which runs the app JS. However, we have made that _choice_ to regard the extansion instance as part of the app and not trust it, in order to make possible deploying an extension as easily as an app. Otherwise an extension would be like a trusted platform component and it's a more complex security model (though technically doable). [1] http://www.chromium.org/developers/design-documents/process-models [2] http://www.chromium.org/developers/design-documents/multi-process-architecture Best regards, Zoltan _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
