On Monday, March 19, 2012 6:33:41 PM UTC, Ian Bicking wrote: > On Mon, Mar 19, 2012 at 10:19 AM, Andreas Gal <andreas....@gmail.com> wrote: > > > I think the same system works just fine, with a twist. For highly > > privileged APIs only trusted stores can grant access and those stores can > > require to host your code from a domain they control. This requires much > > less reinventing the web than the signature idea. The Mozilla store for > > example can require that all highly trusted apps are hosted at > > app5472.mozilla.org etc. For many stores app hosting will be part of the > > service they use to compete for developers. > > > > This is an interesting tweak; I'm guessing it means something like a > Content Security Policy (CSP: > https://developer.mozilla.org/en/Introducing_Content_Security_Policy)
brilliant: i was looking for that definition. now i understand what's being referred to. i note it's been added here, which is great! https://wiki.mozilla.org/Apps/Security#Definitions ok. so. a summary of the problems with using SSL - and CSP, and "pinning" - is described here: https://wiki.mozilla.org/Apps/Security#The_Problem_With_Using_SSL the summary: it's too complex to deploy, and its deployment results in the site becoming a single-point-of-failure [think: 1,000,000 downloads of angri burds a day]. l. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security