Running trusted code in the untrusted web - A writeup

For those who frown at the idea of calling native (trusted) applications from the untrusted web [1],
here is a writeup of how you could run trusted web-code inside of a untrusted web-application.

Regarding the use-cases, there are many ranging from phone-dialers on support pages to payments [2].

Since you probably do not want to rewrite browsers from scratch, the most logical
is building on running trusted code in IFRAMEs so that the existing protection scheme
can be reused.   The difference with existing IFRAMEs is that the code must be trusted
by the platform which also means that it must be fetched from the platform:

<iframe trustedapp="com.example.PaymentRequest" ... ></iframe>

This code should appear to the browser as coming from a virtual domain.
The only communication possible is through postMessage().

If the referenced application isn't available in the local cache, the browser should presumably
consult the device-specific "AppStore".

A side-effect of this "specification" is that trusted web-applications may be device-specific which
actually is a plus since it reduces the need to standardize access to the OS and HW layer.

That is, there could be a new class of standardized trusted web-applications where only
the invoke/postMessage part is standardized!

Cheers,
Anders Rundgren

1] https://lists.w3.org/Archives/Public/public-web-intents/2015Feb/0000.html

2] Although not entirely compliant with the above, the following demo
https://mobilepki.org/WebCryptoPlusPlus
does the same thing from a user's perfective.

Received on Tuesday, 17 February 2015 05:33:19 UTC