> Yes, clearly OWA was not designed with Gaia apps in mind. To be blunt, my > opinion at this point is that a model with no code authentication or controls > on importing code over plaintext channels, is insufficient for a privileged > application like Gaia. It would leave Gaia apps open to the most trivial > MITM attacks. > Lucas.
I understand the bit about code authentication. If the web server gets hacked, we're screwed. But surely well-functioning Gaia code would only load code over HTTPS, so I don't understand where this MITM attack comes from. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
