Section 7. of the Runtime and Security Model specification mentions the possibility to navigate outside of the application's origin. However it does not say how this relates to the trust model defined in section 9:
- Are permissions granted to an installed application also granted to "external" origins if they are listed in "allow-navigation"? I don't think this would be the expected behavior, and it should be made explicit.
- Section 9.4.5 defines the CSP that MUST apply to all trusted applications, and states that "There is no way for trusted applications to relax this policy." Doesn't the "allow-navigation" property extend this CSP? It is likely that the externally accessed URI will use at least external CSS (which conflicts with the CSP in 9.4.5), but also possibly external scripts.
Should a bug entry be opened on the repo to address this?
[cid:image001.jpg@01CE87CF.F9591CF0]
IIII Olivier POTONNIEE
Technology & Innovation
Tel: +33 (0)442 36 4071 - Mob: +33 (0)643 13 0066
Av. du Jujubier, Z.I. Athelia IV
13705 La Ciotat Cedex, FRANCE
www.gemalto.com<http://www.gemalto.com/> or www.justaskgemalto.com<http://www.justaskgemalto.com/>
[cid:image002.jpg@01CE87CF.F9591CF0]
