W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: Security use cases for packaging

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 29 Jan 2015 14:27:25 -0800
Message-ID: <CAPfop_219jEjmdNcG=irPvEHnx4=BhAv_uOeBoO1VzYTcrpJwg@mail.gmail.com>
To: Yan Zhu <yzhu@yahoo-inc.com>
Cc: Chris Palmer <palmer@google.com>, "public-webapps@w3.org" <public-webapps@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> Maybe the code from the downloaded package has to be run from a local origin like chrome://*.

Doesn't the same issue that Chris raised still exist? You need a unit
of isolation that says "only code signed with this public key runs in
this isolation compartment". Chrome extensions have that model.
Whether we achieve this via origins, COWLs, or origin+key as the
identifier, is a separate question, but Chris' high level bit remains true.

cheers
dev
Received on Thursday, 29 January 2015 22:28:23 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC