Closed Bug 756729 (privileged-apps) Opened 13 years ago Closed 12 years ago

Implement privileged apps

Categories

(Core Graveyard :: DOM: Apps, defect)

Product:
Core Graveyard
Component:
DOM: Apps
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-basecamp:-)

Status:
RESOLVED FIXED
Project Flags:
blocking-basecamp -

People

(Reporter: sicking, Unassigned)

References

Details

(Keywords: meta)

Here's the various pieces we need for this. We should probably do most of the work in dependent bugs in order to keep this bug more sane For developer-only signing we need: * Receive the app-developer's public-key from the app-store at installation time. * Read signatures from the appcache manifest for each loaded resource and verify them against the stored public-key For store-signing (needed in order to implement the ability for a store to review the source of an app) we need: * Receive a signature for all resources from the app-store at installation time. (We could do this by getting a signature from the store for the appcache manifest, and then get signatures from the manifest for the individual resources from the appcache manifest) * Receive an updated signature from the store when a appcache update is detected. IMHO we should add both the above capabilities. Either way we'll also need: * Flag all nsIPrincipals for a page loaded as part of a secure app. This needs to be done such that a is-same-origin check with a nsIPrincipal which does not have this flag returns false. * Ensure that a "minimal CSP policy" is used when loading the signed resources. We still need to figure out what that minimal CSP policy will be. * Add the ability to create CSP policies which says to only allow loading of signed resources. Possibly this means introducing a 'self'-like keyword. Or change the meaning of 'self' to mean only items from the same signed app. * Make sure that the "cookie jar" used for a signed facebook.com app is different from the "cookie jar" used by unsigned facebook.com pages opened in an <iframe> inside the facebook.com app. I.e. the signed-ness should be part of the key.
Depends on: 769350
This bug should start out with a peer reviewed spec that we can all agree is what we're doing so we don't miss our target later. Is there an existing one already?
https://wiki.mozilla.org/Apps/Security is that spec, though its due for an update from the results of the work week.
https://wiki.mozilla.org/Apps/Security is the spec for now, and I need to update a few things.
blocking-basecamp: --- → ?
No longer depends on: 758269
Not blocking on metabug, Jonas is marking the dependents.
blocking-basecamp: ? → -
No longer depends on: 769568
Alias: trusted-apps
Component: DOM → DOM: Apps
Depends on: 781620
Alias: trusted-apps → privileged-apps
Depends on: 790558
Summary: Implement trusted apps → Implement privileged apps
Depends on: 801783
Depends on: 806624
Depends on: 797657
Depends on: 812198
No longer depends on: 812198
Depends on: 823150
No longer depends on: 823150
Depends on: 821207
Depends on: 824199
No longer blocks: market-packaged-apps
Depends on: 822944
Depends on: 822072
Depends on: 834091
Depends on: 861284
Depends on: 841569
No longer depends on: 822072
No longer depends on: 841569
No longer depends on: 861284
No longer depends on: 801783
Closing - we've finished to work here for v1. For post v1 work, watch bug 863032.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.