- From: Ming Jin <ming.jin.web@gmail.com>
- Date: Fri, 29 Mar 2013 00:58:15 +0900
- To: John Lyle <john.lyle@cs.ox.ac.uk>
- Cc: public-sysapps@w3.org
- Message-ID: <CAHNuU=v4RLycBLYRQ21C66s9Z=VZCgvxds71uJySY-g1nvJxdA@mail.gmail.com>
2013/3/27 John Lyle <john.lyle@cs.ox.ac.uk> > I think the main value of an 'allow-origin' manifest field would be to > implement least-privilege restrictions defined by the application itself, > rather than access control defined by the remote origin. > > I agree that CORS should be respected for browser-based apps (all hosted > apps?) > > For packaged apps, we could reuse the CSP 'connect-src' directive to > optionally constrain XHR/WebSockets. In Chrome, you can add CSP directive > to the manifest of packaged apps - > https://developer.chrome.com/beta/apps/app_csp.html - as well as defining > cross-origin permissions for extensions - > https://developer.chrome.com/extensions/xhr.html. This doesn't seem to > be the case in the current sysapps runtime spec. My opinion is that, for > packaged apps, it makes sense to support CSP rules included in the manifest > and ignore CORS, as this is the behaviour of native apps. > So your idea is basically to "ignore CORS for app:// origins, and let 'connect-src' do the job". I think this depends on whether we want to make "app://" origin CORS-friendly or no. If we want to make "app://" origin CORS-friendly, then having a different manifest entry (e.g., 'allow-origin') might be better. Origins listed in 'connect-src' but not listed in 'allow-origin' will follow CORS rules, and origins listed in both 'connect-src' and 'allow-origin' will by-pass CORS checking. Regards, Ming Jin
Received on Thursday, 28 March 2013 15:58:43 UTC