Re: App Manifest & API Proposal from Mounir Lamouri on 2012-05-14 (public-webapps@w3.org from April to June 2012)

From: Mounir Lamouri <mounir@lamouri.fr>
Date: Mon, 14 May 2012 19:47:24 +0200
To: public-webapps@w3.org
Message-ID: <4FB1452C.7040404@lamouri.fr>

On 05/12/2012 08:02 PM, Anant Narayanan wrote:
> Q. Why only one app per origin?
> 
> A. We originally placed this restriction for security reasons. In
> Firefox (and most other browsers), the domain name is the primary
> security boundary - cookie jars, localStorage, XHRs are all bound to the
> domain. For supporting multiple apps per domain we would have to do some
> extra work to ensure that (potentially sensitive) permissions granted to
> one app do not leak into another app from the same domain. Additionally,
> this lets us use the origin of the domain as a globally unique
> identifier. Note that app1.example.org and app2.example.org are two
> different origins under this scheme.
> 
> That said, we've received a lot of developer feedback about the
> inconvenience of this restriction, and we are actively looking to lift
> it [3]. We cannot do this without a few other changes around permissions
> and enforcing specific UA behavior in "app mode" (as opposed to "browser
> mode"), but is something we can work towards.

I don't think we can justify the choice of one app per origin just
because it's how browsers work nowadays regarding security and
permissions. This is an implementation detail and we shouldn't write
specs based on implementation details. And that might be true only for
some browsers and not for others.

In addition, how permissions are currently handled already have serious
limitations which would make the app security model hard to implement if
we stick to a simple origin definition. For example, if I go to
foo.example.com from APP1 (because APP1 is from that origin or because
I'm browsing that website from that app) and then I go to
foo.example.com from APP2, should permissions given when I was using
APP1 given to APP2? I don't think we should. Concretely that means that
a website accessed from it's dedicated app and the same website browsed
from a browser app would have the same permissions or that a website
browsed from browser foo and the same website browsed from browser bar
would also have the same permissions.

IMO, the manifest URL should be the unique identifier for an application
so we should not restricts applications per origin and the security
model should consider that permissions where given to a specific origin
inside a specific application.

Cheers,
--
Mounir

Received on Monday, 14 May 2012 17:48:00 UTC