RE: The app: URI scheme from Ming Jin on 2013-02-27 (public-sysapps@w3.org from February 2013)

From: Ming Jin <ming79.jin@samsung.com>
Date: Wed, 27 Feb 2013 14:14:20 +0900
To: 'Fabrice Desre' <fabrice@mozilla.com>, 'Janusz Majnert' <j.majnert@samsung.com>
Cc: public-sysapps@w3.org
Message-id: <038601ce14a9$4c7ef3e0$e57cdba0$%jin@samsung.com>

> -----Original Message-----
> From: Fabrice Desre [mailto:fabrice@mozilla.com]
> Sent: Wednesday, February 27, 2013 2:32 AM
> To: Janusz Majnert
> Cc: public-sysapps@w3.org
> Subject: Re: The app: URI scheme
> On 02/26/2013 05:15 AM, Janusz Majnert wrote:
>> May I ask why, in that case, is FirefoxOS documentation saying that
>> there should only be one app manifest served from any single origin [1]?
> 
> This is an legacy limitation, but our security model now allows
> different apps per origin, uniquely identified by their manifest URL.
> We plan to remove this "one app per origin" from our implementation of
> the mozApps API in the near future.
> 
> This also means that even if their origin is similar, all the data
> jars (localStorage, cookies, indexedDB) are isolated for each app, and
> isolated from web content from this origin.

I think this is conflicting with Mounir's claim from [1], in which he said that apps installed from "http://example.com/maps/manifest.webapp" and "http://example.com/reader/manifest.webapp" are sharing the same origin and hence sharing the same data, although I agree with your opinion that we should isolate data from different applications (in normal situations).

[1] http://lists.w3.org/Archives/Public/public-sysapps/2013Feb/0168.html 

I'm a little bit confused with Mozilla's approach towards application id, origin, and manifest. According to my understanding from Mozilla's execution model proposal, application id is equal to manifest URL [2], and application origin is the origin of manifest URL [3]. Since manifest URL is served over "http:" or "https:" protocol, according to [3], the origin of both packaged and hosted apps will be based on "http:" or "https:" scheme. This seems to be consistent for hosted apps. But for packaged apps, the proposal additionally defines "app:" URI scheme for local web pages, which allows UA to compute the origin of local web pages as "app:" based origin. This results application's "origin" and application resource's "origin" appear to be different for packaged apps. Is this intentional or have I understood something wrong?

[2] http://mounirlamouri.github.com/sysapps/proposals/RunTime-Security/Overview.html#dfn-application-manifest 
[3] http://mounirlamouri.github.com/sysapps/proposals/RunTime-Security/Overview.html#dfn-application-s-origin

Whatever the origin policy is, I agree that the installed applications should not share the data jars from each other in normal situations. However, will there be any use cases where the developer might want to share some data jars among different applications that he/she made since there's no easy way to share data among different web apps?

Regards,
Ming Jin

Received on Wednesday, 27 February 2013 05:14:51 UTC