Does this mean that the store has to host all the backend data and services? Since the standard model is that web sites are generally restricted to connecting to their origination domain, the would mean that an app would be restricted to connecting to app5472.mozilla.org. Even if app5472.mozilla.com relayed back to a third party host (which leads back to the original problem), would Facebook (for example) want to allow mozilla to be a man in the middle? Would Mozilla want to be in that business?
On Mar 19, 2012, at 11:19 AM, Andreas Gal wrote: > I think the same system works just fine, with a twist. For highly privileged > APIs only trusted stores can grant access and those stores can require to > host your code from a domain they control. This requires much less > reinventing the web than the signature idea. The Mozilla store for example > can require that all highly trusted apps are hosted at app5472.mozilla.org > etc. For many stores app hosting will be part of the service they use to > compete for developers. > > Andreas > > Sent from Mobile. > > On Mar 19, 2012, at 8:02 AM, Benjamin Smedberg <[email protected]> wrote: > >> On 3/17/2012 6:17 AM, Andreas Gal wrote: >>> We have trained users over a long period of time to think of sites/origins >>> and not the actual code when making security decisions. The whole code >>> signing discussion is a total distraction here. Web apps should use the >>> same basic security model the web itself uses. >> This makes perfect sense for the vast majority of webapps that don't require >> super-privileges. And as far as I can tell, everyone here agrees that most >> of these apps don't require super privileges and can use the normal web >> security model. >> >> But asserting that the web security model is adequate for advanced >> permissions seems like folly. These permission which can subvert same-origin >> restrictions (by installing apps, or running a browser, or having >> uncontrolled access to USB or bluetooth) are a different class of problem, >> and surely it seems worthwhile to consider whether the threat model and >> attack scenarios for these super-privileged apps requires a more defensive >> installation system? >> >> --BDS >> _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
