- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 4 May 2016 07:51:37 +0200
- To: mcaceres@mozilla.com
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Richard Barnes <rbarnes@mozilla.com>, Mike West <mkwst@google.com>
On 2016-05-04 00:54, mcaceres@mozilla.com wrote: > > >> On 4 May 2016, at 6:43 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >> >> This is weird. >> All Mozilla folks I have been in contact with (=many) have rejected Native Messaging but now they are doing it anyway: >> https://wiki.mozilla.org/WebExtensions/Native_Messaging > > Web extensions are browser extensions and not part of the web. Well, the W3C seems a bit divided on what is the Web or not: https://lists.w3.org/Archives/Public/public-browserext/ The market OTOH doesn't care at all about this distinction; developers only want to make the best possible applications. I'm one :-) Native messaging is just another way of extending browsers than calling native Web services on 127.0.0.1 which you may be able to do using the "true" Web. So is calling 127.0.0.1 now the recommended solution? This is something the browser vendors should agree on. IMO the 127.0.0.1 concept has severe limitations, the called services don't even receive the security context of the calling page. IPC is the solution existing in-machine communication schemes use and for very good reasons! >> Personally I don't see the purpose with behind-the-curtain sub-standards. > > It's not. Those APIs don't show up in browser content. Google's solution for Android Wallets does that although it is still pretty unclear what the Web Payment WG actually is doing here. That the W3C browserext CG and Mozilla are building on Chrome's desktop solution is really sad. A native extension should be a standard native executable (installed from an "App Store"), with built-in meta-data indicating for the Web/OS runtime that it is certified/adapted for being called from the open Web using a browser-level API. Anders > >> >> The TAG and WebAppSec folks have had ample of time discussing this topic including a concrete proposal: >> https://lists.w3.org/Archives/Public/public-web-security/2015Apr/0012.html >> >> A security review of Google's take on Native Messaging: >> https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0071.html >> >> Anyway, it was a bit reassuring seeing that my assertion that native messaging is inevitable turned out to be correct :-) >> I'm pretty sure that my analysis of the Web Payment API (=total failure) unfortunately will prove to hold as well. >> >> Anders >> >>
Received on Wednesday, 4 May 2016 05:52:23 UTC