W3C home > Mailing lists > Public > public-sysapps@w3.org > April 2014

RE: Discussing security model of sysapps

From: Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com>
Date: Wed, 2 Apr 2014 12:18:20 +0200
To: 'Marcos Caceres' <w3c@marcosc.com>, GALINDO Virginie <virginie.galindo@gemalto.com>, "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA302765E37A7E7@seldmbx03.corpusers.net>
> > - The notion of trusted application seemed to be challenged. Where
> > does the WG want to go on that notion ?
> Personally, I'd like us to keep building on the Web security model.
> Making arbitrary exceptions for packaged apps or changing the security
> model of the Web will lead to fragmentation in the API surface and
> centralization of distribution. We've seen this with all packaged app
> ecosystems that have been built in the last 7 years.
> We are beginning to look at the notion of a "trusted application" as
> part of the manifest in Web apps for when an user explicitly decides to
> "install/add-to-homescreen/whatever" a web application. If the
> application meets some predefined criteria (e.g., served over SSL, has
> a Service Worker, etc.), this may grant some additional privileges to
> an application by default (e.g., unrestricted storage, higher priority
> caching etc.)... but we are still at the "research" stage with that.

I think that this is going in the right direction. However, the main issue of API access remains. As mentioned before, which level of security could be done with manifest, TLS/SSL, CORS, CSP? This is something we also are investigating.


Claes Nilsson
Master Engineer - Web Research
Advanced Application Lab, Technology

Sony Mobile Communications
Tel: +46 70 55 66 878


Received on Wednesday, 2 April 2014 10:18:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:36:20 UTC