- From: John Lyle <john.lyle@cs.ox.ac.uk>
- Date: Mon, 14 Jan 2013 18:46:47 +0000
- To: public-sysapps@w3.org
On 12/01/13 16:08, Ming Jin wrote: > I think we should consider pages delivered with "http" in a "system application", otherwise it will create a non-trivial burden for web app developers. Really? I don't think requiring https is actually that much to ask. Given that system applications have access to new, privileged APIs, the least they should do is guarantee their integrity and the security of their transport, and ideally their authenticity as well. As an app developer you can either create a packaged app (which can still use XHR / WebSockets for downloading content over http) or use https. Both alternatives prevent in-transit tampering of program code and provide the necessary pre-requisites for defining the scope of the application with CSP and feature permissions. If a web app doesn't need the additional privileges, it can be turned into a website and hosted however the developer wishes. Best wishes, John
Received on Monday, 14 January 2013 18:47:09 UTC