We don't have to host major sites. All that has to be in place is some form of trust. Trust can come from hosting the code on the store (easy, scales), or a contract (scales less, but more flexible). In case of facebook it would clearly be the latter.
Andreas On Mar 19, 2012, at 11:22 AM, Jim Straus wrote: > Does this mean that the store has to host all the backend data and services? > Since the standard model is that web sites are generally restricted to > connecting to their origination domain, the would mean that an app would be > restricted to connecting to app5472.mozilla.org. Even if app5472.mozilla.com > relayed back to a third party host (which leads back to the original > problem), would Facebook (for example) want to allow mozilla to be a man in > the middle? Would Mozilla want to be in that business? > > On Mar 19, 2012, at 11:19 AM, Andreas Gal wrote: > >> I think the same system works just fine, with a twist. For highly privileged >> APIs only trusted stores can grant access and those stores can require to >> host your code from a domain they control. This requires much less >> reinventing the web than the signature idea. The Mozilla store for example >> can require that all highly trusted apps are hosted at app5472.mozilla.org >> etc. For many stores app hosting will be part of the service they use to >> compete for developers. >> >> Andreas >> >> Sent from Mobile. >> >> On Mar 19, 2012, at 8:02 AM, Benjamin Smedberg <benja...@smedbergs.us> wrote: >> >>> On 3/17/2012 6:17 AM, Andreas Gal wrote: >>>> We have trained users over a long period of time to think of sites/origins >>>> and not the actual code when making security decisions. The whole code >>>> signing discussion is a total distraction here. Web apps should use the >>>> same basic security model the web itself uses. >>> This makes perfect sense for the vast majority of webapps that don't >>> require super-privileges. And as far as I can tell, everyone here agrees >>> that most of these apps don't require super privileges and can use the >>> normal web security model. >>> >>> But asserting that the web security model is adequate for advanced >>> permissions seems like folly. These permission which can subvert >>> same-origin restrictions (by installing apps, or running a browser, or >>> having uncontrolled access to USB or bluetooth) are a different class of >>> problem, and surely it seems worthwhile to consider whether the threat >>> model and attack scenarios for these super-privileged apps requires a more >>> defensive installation system? >>> >>> --BDS >>> > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
