-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
One aspect of the security model that I wanted to discuss is where in the implementation this security is applied. First, some assumptions. a) B2G is using OpenWebApps as defined by the OWA standard. b) these apps should run the same no matter what platform they are running in (e.g. android, b2g, desktop) c) B2G is effectively an implementation of WebRT. Either it is a WebRT or it uses WebRT to run the apps (I don't know this but would love to know) Generally, I see it working like this. WebRT/B2G ---> WebAPIs So, the question is, where should we apply the permission model? Should it be at the WebRT/B2G level or at the WebAPI? This becomes pretty important(it would seem to me) for consistency in app feel. My initial thought is that the WebAPI should manage the permission model. When the WebRT/B2G attempts to access the API it will pass up an authorization request which would bubble up to the user through the WebRT. This would simplify the WebRT and make it easier to be consistent across multiple platforms. (I haven't even addressed being able to run apps in something like Google Chrome, which I believe is something that is wanted). I am not intimately familiar with the code in either B2G/WebAPI or WebRT implementations so I could be way off base here, but I don't think this has really been discussed and standardized. Given that, I thought it was a good time to bring it up and see what everybody thinks. - -Raymond -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPdW53AAoJEIGR7m2TZLSDpagH/3uPTOgigvZ7eF/TTSL1mH2g 25qjWY7nmafZc6PgXKP/nT65Yp+Y2UU3BUHxKhdj854uFTRcQUdVeIE1aHLz+Jld vIIckP/OBPKjm4NcE9RSAUeSARMNRXIrp2lbz3ot3xOH9e7K4BVfIKfou/bX++4q A52SH2WwN1VqVyhJmaejFA7KHqpNe9SHUvNnT/KLVFkEWpuZ70dXaucZsPpc77o5 cJ9gPo8NqdnruzFCsQouUMP7DdtnPm6m5lMWo9yybyCcjIijwNfccDnFoJA7RVJY 0M7YcvKREVOAlvTAJ2rQOoOOsF/f/E53me9Q34GXtVkBXrTTSLVGYJ9hZwBaGXw= =qa4u -----END PGP SIGNATURE----- _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
