On 3/17/2012 6:17 AM, Andreas Gal wrote:
We have trained users over a long period of time to think of sites/origins and
not the actual code when making security decisions. The whole code signing
discussion is a total distraction here. Web apps should use the same basic
security model the web itself uses.
This makes perfect sense for the vast majority of webapps that don't
require super-privileges. And as far as I can tell, everyone here agrees
that most of these apps don't require super privileges and can use the
normal web security model.
But asserting that the web security model is adequate for advanced
permissions seems like folly. These permission which can subvert
same-origin restrictions (by installing apps, or running a browser, or
having uncontrolled access to USB or bluetooth) are a different class of
problem, and surely it seems worthwhile to consider whether the threat
model and attack scenarios for these super-privileged apps requires a
more defensive installation system?
--BDS
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
