On 2015-03-06 10:55, Nilsson, Claes1 wrote:
Yes, that covers my first question. I have also seen Anssi’s CSP extension specification. I guess that the approach is to see how far we can get in the Trust&Permissions CG on the ideas we experimented with for FFOS, i.e. to find a way to securely open up sensitive APIs to server hosted web sites using a signed manifest and secure transport.
This indeed a major concern. Permissions and "Trustworthy Code" are unfortunately not particularly related. Cheers, Anders
Then we have to work on any needed extensions to the Manifest specification. BR Claes *Claes Nilsson* Master Engineer - Web Research Advanced Application Lab, Technology *Sony Mobile Communications* Tel: +46 70 55 66 878 claes1.nils...@sonymobile.com <mailto:firstname.lastn...@sonymobile.com> sonymobile.com <http://sonymobile.com/> Sony logotype_23px height_Email_144dpi *From:*Christiansen, Kenneth R [mailto:kenneth.r.christian...@intel.com] *Sent:* den 6 mars 2015 10:46 *To:* Nilsson, Claes1; 'Kenneth Rohde Christiansen'; Kostiainen, Anssi; Arthur Barstow; public-webapps *Subject:* RE: [manifest] RE: Manifest for web application; review deadline March 5 Yes, indeed. I just didn´t remember the final name. Does that cover your first question? Regarding the second questions, Anssi wrote an extension spec: http://w3c.github.io/manifest-csp/ He can probably comment on that. Kenneth *From:*Nilsson, Claes1 [mailto:claes1.nils...@sonymobile.com] *Sent:* Friday, March 6, 2015 10:39 AM *To:* 'Kenneth Rohde Christiansen'; Arthur Barstow; public-webapps *Subject:* RE: [manifest] RE: Manifest for web application; review deadline March 5 Ok thanks Kenneth. I assume that you refer to the Trust & Permissions Community Group, https://www.w3.org/community/trustperms/? BR Claes *Claes Nilsson* Master Engineer - Web Research Advanced Application Lab, Technology *Sony Mobile Communications* Tel: +46 70 55 66 878 claes1.nils...@sonymobile.com <mailto:firstname.lastn...@sonymobile.com> sonymobile.com <http://sonymobile.com/> Sony logotype_23px height_Email_144dpi *From:*Kenneth Rohde Christiansen [mailto:kenneth.christian...@gmail.com] *Sent:* den 6 mars 2015 10:09 *To:* Nilsson, Claes1; Arthur Barstow; public-webapps *Subject:* Re: [manifest] RE: Manifest for web application; review deadline March 5 Hi Claes, The web app manifest spec allows extensions (it has extension points), so we would expect the Permissions WG/CG to come up with a proper way to deal with permissions. If they come to the conclusion that we need some permission field in the manifest, their spec can add that. It is not yet clear at this point that that is the solution that they are aiming at. Cheers, Kenneth On Thu, Mar 5, 2015 at 4:50 PM Nilsson, Claes1 <claes1.nils...@sonymobile.com <mailto:claes1.nils...@sonymobile.com>> wrote: Hi, We support that this version of the specification is moved to Candidate status but we have a few comments/questions: In this version 1 we miss: * A "permissions" field * A "content security policy field". This is only included as a way to state allowed origins from which the manifest file itself could be loaded. However, there is, in this first version, no CSP-field defined for the manifest document, allowing restriction of origins the web app could download scripts and other content types from. There is also a draft companion document, http://w3c.github.io/manifest-csp/, defining this CSP-member of the manifest. We consider the above features important for allowing server hosted web apps access to more sensitive APIs and have been experimenting with this for FFOS: https://lists.w3.org/Archives/Public/public-sysapps/2014Sep/att-0000/SoMC_FFOS_Trusted_Hosted_Apps.pdf. Accordingly we want to discuss these features for the further work on the manifest specification. We also would like to ask the WG if it has been discussed if https: transport should be required for downloading the manifest? Other specifications are moving towards requirement for https:. See for example the discussion https://lists.w3.org/Archives/Public/public-device-apis/2015Feb/0045.html. For the manifest version 1 this may not be critical but if above features are added the transport probably have to be protected. However, once again note that these comments do not prevent that we support that the current version of the manifest is moved to candidate status, I am just taking the opportunity state our views on the further work on the manifest specification. Best regards Claes Nilsson Master Engineer - Web Research Advanced Application Lab, Technology Sony Mobile Communications Tel: +46 70 55 66 878 claes1.nils...@sonymobile.com <mailto:claes1.nils...@sonymobile.com> sonymobile.com <http://sonymobile.com> > -----Original Message----- > From: Arthur Barstow [mailto:art.bars...@gmail.com <mailto:art.bars...@gmail.com>] > Sent: den 13 februari 2015 01:31 > To: public-webapps > Subject: RfC: Manifest for web application; review deadline March 5 > > [ Bcc: public-webappsec, www-style, public-privacy, public-sysapps, > public-digipub-ig, public-pfwg, public-web-mobile, www-international, > chairs^1, public-review-announce; Reply-to: public-webapps ] > > This is a Request for Comments (RfC) for WebApp's "Manifest for web > application" specification: > > <http://www.w3.org/TR/2015/WD-appmanifest-20150212/> > > "This specification defines a JSON-based manifest that provides > developers with a centralized place to put metadata associated with a > web application." > > This Working Draft is intended to meet the wide review requirements as > defined in the 2014 Process Document. The deadline for comments is 5 > March 2015 and all comments should be sent to the public-webapps @ > w3.org <http://w3.org> mail list [Archive] with a Subject: prefix of "[manifest]". The > next anticipated publication of this specification is a Candidate > Recommendation. (See [CR-Plan] for the specification's Candidate > Recommendation status.) > > WebApps welcomes review and comments from all individuals and/or groups > and we explicitly ask the following groups to review the document and > to submit comments: WebAppSec, CSS WG (in particular, the "display > mode" > media feature), PING, SysApps, Digital Publishing IG, WAI (PF, User > Agent, Authoring Tools), and I18N WG. > > In addition to substantive comments, to help us get a sense of how much > review the document receives, we also welcome data about "silent > reviews", f.ex. "I reviewed section N.N and have no comments". > > -Thanks, AB > > ^1 RfC is the new LCWD TransAnn > [CR-Plan] <https://github.com/w3c/manifest/issues/308> > [Archive] <https://lists.w3.org/Archives/Public/public-webapps/> > >