I broke this out into its own heading https://wiki.mozilla.org/Apps/Security#Centralized_permissions_manager
Similar ideas were discussed later in the thread. I don't believe I've seen any objections to having permissions being centralized for control / auditing purposes. There is still an open question on how a permissions manager should respond in the event of a DENIED permission. One suggestion is to not error out but return some default/safe value e.g. no contacts if an app is not granted Contacts information. A concern of this proposal is that an app may continue to poll for a permission until it is granted or an app may pop up a dialog to have the user grant the permission. I don't think the dialogue prompt will be a big issue if we have contextual permissions. If ChessApp asks for geolocation on start, is denied, then pops up a dialogue saying it needs geolocation, I would hope the user realizes something is fishy. To address the polling issue, we could try exponential backoff when an app requests a permissions. The app would have to wait 1, 2, 4, 8 seconds etc between requests. Of course the permissions manager should always be able to change the permission even if the backoff for an app is at 10 years. David Chan ----- Original Message ----- > From: "Jim Straus" <[email protected]> > To: "Jonas Sicking" <[email protected]> > Cc: [email protected], [email protected], > [email protected], "mozilla dev webapps" > <[email protected]>, "Mozilla B2G mailing list" > <[email protected]> > Sent: Tuesday, March 13, 2012 1:09:06 PM > Subject: Re: [b2g] OpenWebApps/B2G Security model > > Hello all - > I've been sketching out an implementation of permissions. I've > laid out some code framework, but wanted to through tis out for > validation. Assumptions: that B2G/Firefox will have separate > processes for each app/tab. This is already declared to be true > (but not implemented) for B2G. This proposal doesn't required ipc > , but I believe we need to support it. Also note that this should > be able to replace the existing Permission and PermissionManager > in gecko. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
