On 5/14/12 10:47 AM, Mounir Lamouri wrote:
I don't think we can justify the choice of one app per origin just because it's how browsers work nowadays regarding security and permissions. This is an implementation detail and we shouldn't write specs based on implementation details. And that might be true only for some browsers and not for others.
Agree wholeheartedly!
In addition, how permissions are currently handled already have serious limitations which would make the app security model hard to implement if we stick to a simple origin definition. For example, if I go to foo.example.com from APP1 (because APP1 is from that origin or because I'm browsing that website from that app) and then I go to foo.example.com from APP2, should permissions given when I was using APP1 given to APP2? I don't think we should. Concretely that means that a website accessed from it's dedicated app and the same website browsed from a browser app would have the same permissions or that a website browsed from browser foo and the same website browsed from browser bar would also have the same permissions.
I don't understand this scenario fully, permissions given to an app are tied to its origin and cannot be extended to any other domain, irrespective of whether that domain was accessed via the app (an iframe or something else). We do not allow an app to navigate outside its origin at the top-level window.
IMO, the manifest URL should be the unique identifier for an application so we should not restricts applications per origin and the security model should consider that permissions where given to a specific origin inside a specific application.
I'm not sure how this would work. Not only do we have to isolate API permissions between two apps from the same domain, but also other things like cookie jars, localStorage, indexedDB, XHR, and so on.
How will you enforce App1 from being unable to XHR to App2 even though they're both from the same domain? In particular, how do you know what pages from a given domain belong to which app? One possibility is to allow suffixes: (example.org/app1, example.org/app2), but the manifest URL by itself is insufficient.
-Anant
