- From: Marcos Caceres <w3c@marcosc.com>
- Date: Fri, 5 Apr 2013 09:31:02 -0700
- To: Janusz Majnert <j.majnert@samsung.com>
- Cc: public-sysapps@w3.org
On Thursday, 4 April 2013 at 01:26, Janusz Majnert wrote: > > On 2013-04-04 08:31, Marcos Caceres wrote: > > > > So, to summarise, we end up with two classes of "packaged apps": > > > > 1. run off app:// - all their resources are self contained (a lot like a "native app"). Web content can only be included through something like a sandboxed iframe or Google's proprietary <browser> tag (or whatever it's was renamed to). > > > > 2. run off fake origin - behave just like a hosted app (+CSP adjustments). Can make use of things like Google Maps. > > > > Sorry this rant was kinda long and I hope it was coherent... it's something that's bugged me for a number of years about WARP. > > First a disclaimer: I am not trying to advocate for WARP, it was just an > example. Yep, totally understand that. I know we are just using it as an example. > I think we have a perfectly good solution now: CSP + CORS. The problem, > as Ming Jin stated in the first message, is that most servers are not > yet CORS enabled, and even if they are, they will not recognise the > "app://" origins of packaged apps. Right, that's where 2 above comes in. > To make matters worse, we still don't > know how the origin will be constructed, will it identify the application. Perhaps that would also mean faking the Referer header as a way of identifying the app (or coming up with a new header).
Received on Friday, 5 April 2013 16:31:33 UTC