Re: The app: URI scheme

On 27/02/13 05:14, Ming Jin wrote:
>> -----Original Message-----
>> From: Fabrice Desre [mailto:fabrice@mozilla.com]
>> Sent: Wednesday, February 27, 2013 2:32 AM
>> To: Janusz Majnert
>> Cc: public-sysapps@w3.org
>> Subject: Re: The app: URI scheme
>> On 02/26/2013 05:15 AM, Janusz Majnert wrote:
>>> May I ask why, in that case, is FirefoxOS documentation saying that
>>> there should only be one app manifest served from any single origin [1]?
>>
>> This is an legacy limitation, but our security model now allows
>> different apps per origin, uniquely identified by their manifest URL.
>> We plan to remove this "one app per origin" from our implementation of
>> the mozApps API in the near future.
>>
>> This also means that even if their origin is similar, all the data
>> jars (localStorage, cookies, indexedDB) are isolated for each app, and
>> isolated from web content from this origin.
> 
> I think this is conflicting with Mounir's claim from [1], in which he said that apps installed from "http://example.com/maps/manifest.webapp" and "http://example.com/reader/manifest.webapp" are sharing the same origin and hence sharing the same data, although I agree with your opinion that we should isolate data from different applications (in normal situations).

That's me speaking too fast. I actually wrote that code that makes two
hosted apps not able to share the same data ;). However, two apps within
the same origin (ie. from the same author) can virtually share anything
through their server.

> I'm a little bit confused with Mozilla's approach towards application id, origin, and manifest. According to my understanding from Mozilla's execution model proposal, application id is equal to manifest URL [2], and application origin is the origin of manifest URL [3]. Since manifest URL is served over "http:" or "https:" protocol, according to [3], the origin of both packaged and hosted apps will be based on "http:" or "https:" scheme. This seems to be consistent for hosted apps. But for packaged apps, the proposal additionally defines "app:" URI scheme for local web pages, which allows UA to compute the origin of local web pages as "app:" based origin. This results application's "origin" and application resource's "origin" appear to be different for packaged apps. Is this intentional or have I understood something wrong?

It's simply a mistake because the "application origin" is defined too
early (when there is no packaged application defined yet). The
application origin for a packaged application should look like this:
 app://e35b8412-7451-46e7-ab29-0cee24fd486a/
like the packaged application URI (see 4.3).

> Whatever the origin policy is, I agree that the installed applications should not share the data jars from each other in normal situations. However, will there be any use cases where the developer might want to share some data jars among different applications that he/she made since there's no easy way to share data among different web apps?

For the moment, in Firefox OS, the best way to do so is to use a server.
But two applications are able to collaborate via Web Activities which
isn't a mechanism to communicate nor to share data. I have a
cross-application communication API drafted that might be used later. As
soon as two applications can communicate, they can share data as much as
they want.

Thank you for those good comments and spotting the mistakes in our
proposal :)

Cheers,
--
Mounir

Received on Wednesday, 27 February 2013 21:28:37 UTC