> Not to belabor the point, but it's clear that people are calling into > question the wisdom of this stance. Giving a hosted app which can be changed > at-will significantly enhanced privileges in general *seems* like a mistake; > you make the webservers for these enhanced apps targets for hacking huge > numbers of people in very immediate ways. I think it is worth discussing > whether there are limits to hosted webapps that we should take into account > when designing this system. > > --BDS >
Yes, clearly OWA was not designed with Gaia apps in mind. To be blunt, my opinion at this point is that a model with no code authentication or controls on importing code over plaintext channels, is insufficient for a privileged application like Gaia. It would leave Gaia apps open to the most trivial MITM attacks. Lucas. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
