RE: Runtime and Security Model: Navigation and Permissions from POTONNIEE Olivier on 2013-07-24 (public-sysapps@w3.org from July 2013)

From: POTONNIEE Olivier <Olivier.POTONNIEE@gemalto.com>
Date: Wed, 24 Jul 2013 23:55:33 +0200
To: "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <267D4E63A0D73044BFBB4199DA94D80502F19D73EF33@CROEXCFWP04.gemalto.com>

Yes, boundaries of hosted apps are not clear in current draft. As already expressed in previous discussions, relying on the simple "origin" is not a good option, as it forbids multiple apps per domain.
I would therefore imagine that the manifest of hosted apps could include a list of URI patterns that would identify the hosted app boundaries, eg:
  app-resources: [ "/app1/*", "/images/app1/*" ]
These resources would have to belong to the same origin as the app manifest, so it is not even needed to include the scheme/domain/port there. App resources outside of this origin would have to be listed in allow-navigation.

--
Olivier

-----Original Message-----
From: Janusz Majnert [mailto:j.majnert@samsung.com] 
Sent: Wednesday, July 24, 2013 9:43 AM
To: public-sysapps@w3.org
Subject: Re: Runtime and Security Model: Navigation and Permissions

On 2013-07-23 18:10, POTONNIEE Olivier wrote:
> Section 7. of the Runtime and Security Model specification mentions 
> the possibility to navigate outside of the application's origin. 
> However it does not say how this relates to the trust model defined in section 9:
>
> -              Are permissions granted to an installed application also
> granted to "external" origins if they are listed in "allow-navigation"?
> I don't think this would be the expected behavior, and it should be 
> made explicit.
>
> -              Section 9.4.5 defines the CSP that MUST apply to all
> trusted applications, and states that "There is no way for trusted 
> applications to relax this policy." Doesn't the "allow-navigation"
> property extend this CSP? It is likely that the externally accessed 
> URI will use at least external CSS (which conflicts with the CSP in 
> 9.4.5), but also possibly external scripts.
>
> Should a bug entry be opened on the repo to address this?

I think it would be good to discuss this here or in an issue on github.
The problem I see is that unlike for packaged apps that have a clear boundary, hosted apps have no way to define which resources are part of the application and which are outside. allow-navigation only makes matters worse.

--
Janusz Majnert
Samsung R&D Institute Poland
Samsung Electronics

Received on Wednesday, 24 July 2013 21:55:57 UTC