On Thu, Jun 19, 2014 at 4:28 AM, Ehsan Akhgari <[email protected]> wrote: > Thanks for writing this up, Jonas! > > Here are a couple of questions: > > 1. If we only allow access to privileged APIs to resources that are served > from the "package" source through CSP, would the concern about injecting > inline scripts from the same origin into the code running inside the package > remain?
Yes, definitely. While you're right that my example to inject a <script> wouldn't work as it would be prevented by the CSP policy, the attacker could call arbitrary trusted JS functions and pass arbitrary JS values to it. That will most likely result in being able to trick the trusted code to do bad things. Especially given how dynamic and untyped most JS code is. > 2. How well do packages play with HTTP/2? One side effect of using packages > that you need to download all of the code for the application in order to > verify the signature (assuming that we won't have per resource signatures), > but HTTP/2 would allow you to only download the resources needed for the > current document in a minimum number of HTTP transactions. It's not > immediately obvious to me how we can reconcile these two models... We would indeed result in the whole new package being downloaded. Though there is work going on to support differential downloads for HTTP resources in general which would work if those resources happen to be a packaged file as well. So HTTP/2 and packages would work just fine together in the sense that neither is incompatible with the other. But packages do cause more data to be downloaded during an update. / Jonas _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
