Re: [sysapps/runtime] cross origin XHR in packaged apps from Dave Raggett on 2013-04-02 (public-sysapps@w3.org from April 2013)

From: Dave Raggett <dsr@w3.org>
Date: Tue, 02 Apr 2013 12:30:51 +0100
To: public-sysapps@w3.org
Message-ID: <515AC16B.6020101@w3.org>

On 02/04/13 11:46, Robin Berjon wrote:
> What you really want out of this process is for the origin server to
> tell the runtime "yeah it's okay for this app to use my origin". You
> also probably want it to say "and have it run as if it were at this URL"
> in order to avoid URL space conflicts.
>
> At the same time, this need to be really easy to deploy on the server.
> It should be possible to drop in some PHP/Node module/whatever, give it
> a pointer to the app, and all should be rosy. You could have something
> like this in the manifest:
>
>      "originCheck": "http://sicking.cc/check-app/"
>
> The runtime would then hit that URL in order to figure out if the app is
> allowed to use that origin. The exact details of the protocol depend on
> what we want to defend against. The endpoint can't just return 200 or
> echo something it's given because otherwise it's too easy to just hijack
> an existing service. It should at the very least perform some
> computation on the input. For instance, it could get a hash of the
> manifest and a nonce from the runtime, and return something based on those.

I would like to hear more about the issues around using signing.

My assumption is that for a signed app, the browser/web run-time can 
check the integrity of the app's components, and can also check the 
signature via a query against the origin declared in the app's manifest.

The origin check, to use Robin's terminology, should be resistant to man 
in the middle attacks. My perhaps naive suggestion would be to ask the 
server to sign something suitable** provided in the query, so that the 
browser can verify that it has been signed with the same public key as 
was used for signing the manifest. Presumably the public key should 
itself be part of the manifest. If that key is revoked the app would 
need to be reinstalled.

This does present a burden for the server and app developer. They need 
to manage a public/private key pair, but don't require a certificate 
authority, except perhaps to ease revocation. The server needs to make 
it easy for trusted developers to sign their apps, and to provide the 
origin check support.

** e.g. a statement that this origin can be used with this manifest (as 
designated by a crypto hash of the manifest), plus a nonce provided by 
the browser.

-- 
Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett

Received on Tuesday, 2 April 2013 11:31:15 UTC