- From: Janusz Majnert <j.majnert@samsung.com>
- Date: Wed, 24 Jul 2013 09:43:07 +0200
- To: public-sysapps@w3.org
On 2013-07-23 18:10, POTONNIEE Olivier wrote: > Section 7. of the Runtime and Security Model specification mentions the > possibility to navigate outside of the application’s origin. However it > does not say how this relates to the trust model defined in section 9: > > - Are permissions granted to an installed application also > granted to “external” origins if they are listed in “allow-navigation”? > I don’t think this would be the expected behavior, and it should be made > explicit. > > - Section 9.4.5 defines the CSP that MUST apply to all > trusted applications, and states that “There is no way for trusted > applications to relax this policy.“ Doesn’t the “allow-navigation” > property extend this CSP? It is likely that the externally accessed URI > will use at least external CSS (which conflicts with the CSP in 9.4.5), > but also possibly external scripts. > > Should a bug entry be opened on the repo to address this? I think it would be good to discuss this here or in an issue on github. The problem I see is that unlike for packaged apps that have a clear boundary, hosted apps have no way to define which resources are part of the application and which are outside. allow-navigation only makes matters worse. -- Janusz Majnert Samsung R&D Institute Poland Samsung Electronics
Received on Wednesday, 24 July 2013 07:43:43 UTC