On Mon, Mar 19, 2012 at 10:19 AM, Andreas Gal <[email protected]> wrote:
> I think the same system works just fine, with a twist. For highly > privileged APIs only trusted stores can grant access and those stores can > require to host your code from a domain they control. This requires much > less reinventing the web than the signature idea. The Mozilla store for > example can require that all highly trusted apps are hosted at > app5472.mozilla.org etc. For many stores app hosting will be part of the > service they use to compete for developers. > This is an interesting tweak; I'm guessing it means something like a Content Security Policy (CSP: https://developer.mozilla.org/en/Introducing_Content_Security_Policy) X-Content-Security-Policy: script-src https://app5472.mozilla.org – with no other options enabled (no other hosts, no unsafe-inline and maybe no unsafe-eval) Or alternately are you suggesting that the entire app be hosted at this location? This seems a bit more aggressive as it requires giving the app's identity (origin) over to Mozilla. It seems with CSP requirements (explicit or implied) that we can secure the code and ensure it is reviewable (e.g., can't be dynamically generated, we have a complete enumeration of all JS), while leaving developers with control over lots of stuff we shouldn't need to monitor (style and layout of the app). _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
