On 2014-06-18, 9:36 PM, Jonas Sicking wrote:
On Thu, Jun 19, 2014 at 4:28 AM, Ehsan Akhgari <[email protected]> wrote:
Thanks for writing this up, Jonas!
Here are a couple of questions:
1. If we only allow access to privileged APIs to resources that are served
from the "package" source through CSP, would the concern about injecting
inline scripts from the same origin into the code running inside the package
remain?
Yes, definitely. While you're right that my example to inject a
<script> wouldn't work as it would be prevented by the CSP policy, the
attacker could call arbitrary trusted JS functions and pass arbitrary
JS values to it. That will most likely result in being able to trick
the trusted code to do bad things. Especially given how dynamic and
untyped most JS code is.
Ah yes. This, plus what Paul mentioned, are probably going to mean that
we'd need to figure out a different origin for these packaged apps... :/
2. How well do packages play with HTTP/2? One side effect of using packages
that you need to download all of the code for the application in order to
verify the signature (assuming that we won't have per resource signatures),
but HTTP/2 would allow you to only download the resources needed for the
current document in a minimum number of HTTP transactions. It's not
immediately obvious to me how we can reconcile these two models...
We would indeed result in the whole new package being downloaded.
Though there is work going on to support differential downloads for
HTTP resources in general which would work if those resources happen
to be a packaged file as well.
So HTTP/2 and packages would work just fine together in the sense that
neither is incompatible with the other. But packages do cause more
data to be downloaded during an update.
Makes sense.
Cheers,
Ehsan
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
