Re: [sysapps/runtime] cross origin XHR in packaged apps from Jonas Sicking on 2013-04-01 (public-sysapps@w3.org from April 2013)

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 1 Apr 2013 06:26:40 -0700
To: Ming Jin <ming79.jin@samsung.com>
Cc: "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <CA+c2ei8W6Wda1sNwZ-D3UMNPW_rpJTYQ=Fk8yPWO+JFn3d5bnw@mail.gmail.com>

On Wed, Mar 27, 2013 at 1:51 AM, Ming Jin <ming79.jin@samsung.com> wrote:
> Hi SysApps,
>
> I'd like to discuss about supporting cross-origin XHR in packaged apps.
>
> *Problem statement*
> In current runtime proposal, local resources in a packaged app have "app://"
> based origin, and every XHR request to http/https url will initiate a cross
> origin XHR. Since most of the servers are not aware of "app://" origin and
> even not CORS-enabled, the XHR will simply fail due to same-origin policy.
>
> *Existing approaches*
> Firefox OS provides a modified XHR API (new XMLHttpRequest({mozSystem:
> true});) to relax same-origin restrictions [1], and Chrome allows Extensions
> to specify origin white-listing to by-pass CORS checking [2].
>
> *Analysis*
> In general, it'll be better to reuse existing XHR without modification, and
> also better to provide the cross-origin XHR functionality to as many apps as
> possible (i.e., not only restricted to "certified" apps).
>
> Adding a manifest entry (e.g., "allow-origin") to white-list the origins
> seems to be a better approach, but the manifest entry should not be
> applicable to hosted apps (otherwise it defeats the purpose of CORS). Since
> the "app://" origin only makes sense locally to the device, by-passing CORS
> checking for local resources also makes sense.
>
> *Proposed change*
> Introduce a new manifest entry (e.g., "allow-origin"), and put additional
> description on that to indicate that it's only applicable to local resources
> of packaged apps.
>
> So what's your opinion?

First off I think we should enable some way for packaged apps to be
same-origin with their "home site". I.e. if a developer running a
website on http://www.example.com it should be possible for this
developer to somehow distribute a packaged app that is same-origin
with http://www.example.com.

There's some discussion around the challanges with this in [1].

However I also like the idea of enabling a privileged app to do
network connections to a white-list of website. So basically a variant
of the Firefox OS systemXHR and tcpsocket that only allows requests to
a particular set of websites. This would be strictly more secure than
what Firefox OS does now.

This could be accomplished by adding additional information to those
permissions in the manifest. So something like:

permissions: {
  systemXHR: {
    description: "...",
    servers: ["https://www.foo.com", "https://www.bar.com"]
  }
}

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=852720

/ Jonas

Received on Monday, 1 April 2013 13:27:45 UTC