Application permissions

[RossComputerGuy]

Applications should have a list of permissions to access specific things, this could be useful for security reasons so the user could stop a specific application from doing malicious things.

[andersevenrud]

There's no way to limit interaction with the browser APIs. Even if all of it was proxied via some internal namespace, a developer can just get around that by not using it.

The server has authoritative routing, so the communication between the server can be secured with groups or JWTs w/scopes etc. (custom adapter).

[andersevenrud]

Service providers can probably be limited for specific applications, but usually the ones that potentially can expose a security concern usually communicates with the server somehow -- which is solved with what I mentioned in the previous comment.

But might be worth investigating nonetheless.

[andersevenrud]

Seeing how the permission support on the server-side solves the most critical parts of the security concerns I'm going to close this issue. There's no way to control the developers usage of browser APIs without actually doing something on compile time, which is a bit outside the scope here.