On 11 Feb 2015, at 1:10 am, Anders Rundgren <anders.rundgren....@gmail.com> wrote:
> On Tuesday, February 10, 2015 at 11:52:55 AM UTC+1, Julien Wajsberg wrote: >> Hey Paul, >> >> Le 09/02/2015 12:41, Paul Theriault a écrit : >>> === SMS === >>> SMS is risky mainly due to the cost involved. Risks include cost of sending >>> SMS and also SMS are very sensitive - e.g. often used in 2-factor auth >>> (e.g. banking) >>> >>> But there are different use cases. For example, many use cases just need >>> the ability to receive SMS - instead of granting SMS permission, we could >>> expose a read-only SMS datastore which other apps could observe changes on >>> which removes the cost risk (but not the sensitive data risk). >> >> I don't understand how having a read only access would prevent a webpage >> from reading a 2-factor auth SMS. >> >> I wonder if we could have a permission as fine as giving access to a >> specific thread ? >> Or access to some properties (the phone numbers) but not others (the SMS >> content) ? >> >> I'm also not sure how a user can choose knowingly whether he should give >> access to such things from this webpage :/ > > Neither am I. I think this calls for "Trusted Web Applications" that would > be installed locally but invoked from untrusted code. It would be a > complement to > https://lists.w3.org/Archives/Public/public-web-intents/2015Feb/0000.html > > Trusted web applications would be signed and be usable in IFRAMEs. Maybe so - but the goal of this thread was really to examine the other side, i.e. making our APIs safe. As I said in the original email, I don’t think we will solve all use cases with this model. We should continue the trusted app discussion in the other threads I referenced in the original mail ("deprecate packaged apps” etc) > > Anders > _______________________________________________ > dev-b2g mailing list > dev-b2g@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g
