On Thu, Mar 22, 2012 at 3:12 PM, ptheriault <ptheria...@mozilla.com> wrote:
> Maybe I am wrong, but are not all offline web apps static web apps? > I see your point but there's currently no requirement for *all* of the remote resources of a web app that works offline to be static and cached locally. Only the ones listed in the appcache manifest which can provide a subset of functionality when operating offline, and which themselves can be updated whenever the appcache manifest is updated. > My assumption was since the apps which require critical permissions are > typically those which would need to be offline applications, and therefore > the restriction wasn't a large one. > It depends on how many permissions you extend this policy too. Although it would be a shame, I can understand if all four of the restrictions you mention are applied to a small number of super sensitive permissions (though I still think the user should have the power to override this if they want). But to require that all apps are served over SSL and are completely static (as I think you were proposing) seems unnecessarily limiting. If the app is served dynamically, what sort of controls would you propose > to mitigate the threats of server compromise, loading unsafe code and web > application vulnerabilities? > I'm sorry I don't have any technical solutions for this problem, only non-technical ones which have already been discussed. But fundamentally I think the user is expressing trust in the app developer who is hosting the app, not the store which just listed it and provided ratings. Ben -- Ben Francis http://tola.me.uk _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security