I think the same system works just fine, with a twist. For highly privileged APIs only trusted stores can grant access and those stores can require to host your code from a domain they control. This requires much less reinventing the web than the signature idea. The Mozilla store for example can require that all highly trusted apps are hosted at app5472.mozilla.org etc. For many stores app hosting will be part of the service they use to compete for developers.
Andreas Sent from Mobile. On Mar 19, 2012, at 8:02 AM, Benjamin Smedberg <[email protected]> wrote: > On 3/17/2012 6:17 AM, Andreas Gal wrote: >> We have trained users over a long period of time to think of sites/origins >> and not the actual code when making security decisions. The whole code >> signing discussion is a total distraction here. Web apps should use the same >> basic security model the web itself uses. > This makes perfect sense for the vast majority of webapps that don't require > super-privileges. And as far as I can tell, everyone here agrees that most of > these apps don't require super privileges and can use the normal web security > model. > > But asserting that the web security model is adequate for advanced > permissions seems like folly. These permission which can subvert same-origin > restrictions (by installing apps, or running a browser, or having > uncontrolled access to USB or bluetooth) are a different class of problem, > and surely it seems worthwhile to consider whether the threat model and > attack scenarios for these super-privileged apps requires a more defensive > installation system? > > --BDS > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
