On Mar 16, 2012, at 4:29 AM, Gervase Markham wrote: > On 16/03/12 04:27, Lucas Adamski wrote: >> Gaia app: consists of a1, b1, c1. A typical local app, with a static >> codebase that is installed once, authenticated by a code signature >> and prohibited from dynamically loading additional code. > > So no remote request for JS? No eval and friends? Do we use CSP or similar to > enforce that?
Yup, that would be the theory. The idea is that if we are to have some bundle of code we can authenticate and trust with significant privileges, then to maintain that trust it cannot load additional code (from anywhere) without some explicit process. >> Granted >> signicant privileges in return. Origin of these apps is probably >> restricted to a small set of app stores as defined by OS >> configuration. > > An extensible set, presumably? I believe so. At least I don't see a security issue there.. thats more about how a carrier may decide to configure a handset. > >> Explicit update process. > > Maybe this is a side question, but: would there be an "allow this app to > auto-update", like on Android, or at least CyanogenMod? > > Certainly, app updates are a pain on Android - it nags me if I ignore them, > and if I accept them, it nags me about different ones tomorrow. > > I'd love a "Yeah, whatever" setting which did auto-updates for all apps which > don't request new permissions. Explicit update process to me just means that there has to be some code that runs and performs an update. It may or may not require any user interaction. Personally speaking I'm pretty ok with Gaia apps updating in the background actually so long as that new code is strongly authenticated. >> B2G app: a2, b2, c2 Remotely hosted but locally cached, identified by >> a manifest. Appears to user as a local app. Codebase restricted to >> a single origin, requires HSTS for authentication. All code (JS, >> HTML CSS) must be loaded from this origin. > > Is the chosen origin defined in the manifest? > How do we validate origins? The Public Suffix List? > > If my app comes from foo.bar.com, is the origin automatically foo.bar.com, or > can the app request that the origin be bar.com? > All good questions. The security safe posture is to lean to smallest scope obviously (scheme://domain:port), but I'm guessing that might trample a lot of use cases. Lucas. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
