W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: App Manifest & API Proposal

From: Anant Narayanan <anant@mozilla.com>
Date: Mon, 14 May 2012 11:05:28 -0700
Message-ID: <4FB14968.3050702@mozilla.com>
To: public-webapps@w3.org
On 5/14/12 10:47 AM, Mounir Lamouri wrote:
> I don't think we can justify the choice of one app per origin just
> because it's how browsers work nowadays regarding security and
> permissions. This is an implementation detail and we shouldn't write
> specs based on implementation details. And that might be true only for
> some browsers and not for others.

Agree wholeheartedly!

> In addition, how permissions are currently handled already have serious
> limitations which would make the app security model hard to implement if
> we stick to a simple origin definition. For example, if I go to
> foo.example.com from APP1 (because APP1 is from that origin or because
> I'm browsing that website from that app) and then I go to
> foo.example.com from APP2, should permissions given when I was using
> APP1 given to APP2? I don't think we should. Concretely that means that
> a website accessed from it's dedicated app and the same website browsed
> from a browser app would have the same permissions or that a website
> browsed from browser foo and the same website browsed from browser bar
> would also have the same permissions.

I don't understand this scenario fully, permissions given to an app are 
tied to its origin and cannot be extended to any other domain, 
irrespective of whether that domain was accessed via the app (an iframe 
or something else). We do not allow an app to navigate outside its 
origin at the top-level window.

> IMO, the manifest URL should be the unique identifier for an application
> so we should not restricts applications per origin and the security
> model should consider that permissions where given to a specific origin
> inside a specific application.

I'm not sure how this would work. Not only do we have to isolate API 
permissions between two apps from the same domain, but also other things 
like cookie jars, localStorage, indexedDB, XHR, and so on.

How will you enforce App1 from being unable to XHR to App2 even though 
they're both from the same domain? In particular, how do you know what 
pages from a given domain belong to which app? One possibility is to 
allow suffixes: (example.org/app1, example.org/app2), but the manifest 
URL by itself is insufficient.

-Anant
Received on Monday, 14 May 2012 18:05:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT