[packaging-on-the-web] What's the origin of a signed package? (#24) from Jeffrey Yasskin on 2015-02-19 (public-webapps-github@w3.org from February 2015)

From: Jeffrey Yasskin <notifications@github.com>
Date: Wed, 18 Feb 2015 16:34:17 -0800
To: w3ctag/packaging-on-the-web <packaging-on-the-web@noreply.github.com>
Message-ID: <w3ctag/packaging-on-the-web/issues/24@github.com>

The [introduction](https://w3ctag.github.io/packaging-on-the-web/#intro) says:

> Initiatives such as Firefox OS and Chrome OS demonstrate the potential of trusted, installable applications built with web technologies. To be used in this way, applications must be self-contained packages of resources that can be tested and signed.

Firefox OS and Chrome OS use the presence of a signature from Mozilla or Google to allow an application to request permissions that normal websites can't request. The code with access to these permissions may be tricked into mis-using them if a less-trusted application may write to its storage. However, any code running on the same [origin](https://html.spec.whatwg.org/multipage/browsers.html#origin) can write to a trusted application's storage. I think that implies that a signed package built by the owners of https://example.com/ can't have the same origin as non-packaged code fetched from https://example.com/.

Maybe [suborigins](http://www.chromium.org/developers/design-documents/per-page-suborigins) (@metromoxie) can help with this.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/packaging-on-the-web/issues/24

Received on Thursday, 19 February 2015 00:34:45 UTC