On Tue, Nov 18, 2014 at 7:40 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: > On 11/18/14, 10:26 PM, Michaela Merz wrote: >> >> First: We need signed script code. > > For what it's worth, Gecko supported this for a while. See > <http://www-archive.mozilla.org/projects/security/components/signed-scripts.html>. > In practice, people didn't really use it, and it made the security model a > _lot_ more complicated and hard to reason about, so the feature was dropped. > > It would be good to understand how proposals along these lines differ from > what's already been tried and failed.
The way we did script signing back then was nutty in several ways. The signing we do in FirefoxOS is *much* simpler. Simple enough that no one has complained about the complexity that it has added to Gecko. Sadly enhanced security models that use signing by a trusted party inherently looses a lot of the advantages of the web. It means that you can't publish a new version of you website by simply uploading files to your webserver whenever you want. And it means that you can't generate the script and markup that make up your website dynamically on your webserver. So I'm by no means arguing that FirefoxOS has the problem of signing solved. Unfortunately no one has been able to solve the problem of how to grant web content access to capabilities like raw TCP or UDP sockets in order to access legacy hardware and protocols, or how to get read/write acccess to your photo library in order to build a photo manager, without relying on signing. Which has meant that the web so far is unable to "compete with native" in those areas. / Jonas