Here's the various pieces we need for this. We should probably do most of the work in dependent bugs in order to keep this bug more sane For developer-only signing we need: * Receive the app-developer's public-key from the app-store at installation time. * Read signatures from the appcache manifest for each loaded resource and verify them against the stored public-key For store-signing (needed in order to implement the ability for a store to review the source of an app) we need: * Receive a signature for all resources from the app-store at installation time. (We could do this by getting a signature from the store for the appcache manifest, and then get signatures from the manifest for the individual resources from the appcache manifest) * Receive an updated signature from the store when a appcache update is detected. IMHO we should add both the above capabilities. Either way we'll also need: * Flag all nsIPrincipals for a page loaded as part of a secure app. This needs to be done such that a is-same-origin check with a nsIPrincipal which does not have this flag returns false. * Ensure that a "minimal CSP policy" is used when loading the signed resources. We still need to figure out what that minimal CSP policy will be. * Add the ability to create CSP policies which says to only allow loading of signed resources. Possibly this means introducing a 'self'-like keyword. Or change the meaning of 'self' to mean only items from the same signed app. * Make sure that the "cookie jar" used for a signed facebook.com app is different from the "cookie jar" used by unsigned facebook.com pages opened in an <iframe> inside the facebook.com app. I.e. the signed-ness should be part of the key.
This bug should start out with a peer reviewed spec that we can all agree is what we're doing so we don't miss our target later. Is there an existing one already?
https://wiki.mozilla.org/Apps/Security is that spec, though its due for an update from the results of the work week.
https://wiki.mozilla.org/Apps/Security is the spec for now, and I need to update a few things.
Depends on: 768029
Depends on: 769568
Depends on: 772363
Depends on: 772364
Depends on: sign-packaged-apps
Depends on: 768862
Depends on: 758269
Not blocking on metabug, Jonas is marking the dependents.
blocking-basecamp: ? → -
Alias: trusted-apps → privileged-apps
Depends on: 790558
Summary: Implement trusted apps → Implement privileged apps
Closing - we've finished to work here for v1. For post v1 work, watch bug 863032.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.