- From: Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com>
- Date: Fri, 27 Sep 2013 15:39:10 +0200
- To: 'Marcos Caceres' <w3c@marcosc.com>
- CC: Kenneth Rohde Christiansen <kenneth.christiansen@gmail.com>, Dave Raggett <dsr@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>, "Isberg, Anders" <Anders.Isberg@sonymobile.com>
What could we achieve by using a signed manifest in combination with securely transported content? The manifest is signed by the app store and states that the url: https://www.foo.com/myapp is trusted. Content Security Policy is set to script-src 'self'. All script content must come from the same site, i.e. it should not be allowed to load script content from a 3rd party. With this model the app store can revocate the manifest similar to revocation of packaged app. BR Claes > -----Original Message----- > From: Marcos Caceres [mailto:w3c@marcosc.com] > Sent: den 26 september 2013 12:06 > To: Nilsson, Claes1 > Cc: Kenneth Rohde Christiansen; Dave Raggett; public-sysapps@w3.org; > Isberg, Anders > Subject: Hosted apps, was Re: Clarity over direction of work on runtime > and security model? > > Hi Claes, > > > On Wednesday, September 18, 2013 at 10:27 AM, Nilsson, Claes1 wrote: > > > In addition I would like to stress that Sony considers support for > hosted, i.e. not only packaged, system apps in a secure manner very > prioritized. > > With regards to hosted apps, I do too - we need to solve security at a > platform or API level. I'm not convinced that putting something in a > JSON file realistically addresses any problems (not without a > centralized point of signing and distribution … maybe fine for packaged > apps, not for hosted apps) - if we ever want to see these APIs in the > Web Platform proper (or anything that remotely looks like a hosted app), > then there is no other choice but to find some way to address how > access to privileged APIs can be achieved. > > I'm hopeful that we can do away with the idea of a "hosted app". That > is to say, we should not need to define a new tear of application to > enable more sophisticated forms of what is essentially just fancy > bookmarking: this doesn't mean doing away with the manifest or > installation API. It just means not creating artificial boundaries > between HTML documents. It's clear and undeniable that everyone wants > to be able to "put web pages on the home screen" or "install a web app". > But we need to really look closely at what we need to enable that > functionality (and what bits we already have in place in HTML to do > that - and if other implementers will be supportive of it). > > Anyway, this is something that we need to discuss over at the WebApps > WG. > > Kind regards, > Marcos >
Received on Friday, 27 September 2013 13:39:40 UTC