w3ctag / packaging-on-the-web

OBSOLETE: Guidance about how to provide packages of information on the web.
60 stars 15 forks source link

What's the origin of a signed package? #24

Open jyasskin opened 9 years ago

jyasskin commented 9 years ago

The introduction says:

Initiatives such as Firefox OS and Chrome OS demonstrate the potential of trusted, installable applications built with web technologies. To be used in this way, applications must be self-contained packages of resources that can be tested and signed.

Firefox OS and Chrome OS use the presence of a signature from Mozilla or Google to allow an application to request permissions that normal websites can't request. The code with access to these permissions may be tricked into mis-using them if a less-trusted application may write to its storage. However, any code running on the same origin can write to a trusted application's storage. I think that implies that a signed package built by the owners of https://example.com/ can't have the same origin as non-packaged code fetched from https://example.com/.

Maybe suborigins (@metromoxie) can help with this. [Edit: Nope: "there should be no way for Suborigins to obtain such permissions"]

joelweinberger commented 9 years ago

That quote isn't accurate to the world today. It's looking more and more like Suborigins will allow at least some form of permissions, to be determined exactly how. So, yes, Suborigins might help. You can check out my latest draft of the spec to get a sense of what's going on: https://metromoxie.github.io/webappsec/specs/suborigins/index.html

tanx commented 8 years ago

Origin is also relevant considering this issue. So just linking it for reference: https://github.com/w3ctag/packaging-on-the-web/issues/29