On Fri, Mar 16, 2012 at 4:13 PM, Benjamin Smedberg <benja...@smedbergs.us> wrote: > On 3/16/2012 11:11 AM, Ben Francis wrote: >> >> B2G applications are Open Web Apps, you can read about them here >> https://developer.mozilla.org/en-US/apps >> >> They're hosted on a web server like a web site, there's no packaging >> format >> but they may be cached locally using the existing appcache standard. > > Not to belabor the point, but it's clear that people are calling into > question the wisdom of this stance. Giving a hosted app which can be changed > at-will significantly enhanced privileges in general *seems* like a mistake; > you make the webservers for these enhanced apps targets for hacking huge > numbers of people in very immediate ways. I think it is worth discussing > whether there are limits to hosted webapps that we should take into account > when designing this system.
from https://www.adobe.com/devnet/air/articles/introduction_to_air_security.html "Imagine a scenario where your desktop application automatically imports some script from your website every time it runs, perhaps to render today's stock charts or to provide the latest application functionality. In the event that your server is compromised, or if you do not perform that code loading very diligently (that is, sign the script with your certificate and subsequently verify the validity of the signature), then an attacker could take over every machine that runs your application simply by compromising the server hosting that one script. So the user deciding to install a given application does not automatically grant the right to that application to download and execute additional code without additional, explicit user consent." _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
