Closed Bug 756729 (privileged-apps) Opened 12 years ago Closed 11 years ago

Implement privileged apps


(Core Graveyard :: DOM: Apps, defect)

Not set



blocking-basecamp -


(Reporter: sicking, Unassigned)



(Keywords: meta)

Here's the various pieces we need for this. We should probably do most of the work in dependent bugs in order to keep this bug more sane

For developer-only signing we need:
* Receive the app-developer's public-key from the app-store at installation time.
* Read signatures from the appcache manifest for each loaded resource and verify
  them against the stored public-key

For store-signing (needed in order to implement the ability for a store to review the source of an app) we need:
* Receive a signature for all resources from the app-store at installation time.
  (We could do this by getting a signature from the store for the appcache
  manifest, and then get signatures from the manifest for the individual
  resources from the appcache manifest)
* Receive an updated signature from the store when a appcache update is

IMHO we should add both the above capabilities.

Either way we'll also need:
* Flag all nsIPrincipals for a page loaded as part of a secure app. This needs
  to be done such that a is-same-origin check with a nsIPrincipal which does
  not have this flag returns false.
* Ensure that a "minimal CSP policy" is used when loading the signed resources.
  We still need to figure out what that minimal CSP policy will be.
* Add the ability to create CSP policies which says to only allow loading of
  signed resources. Possibly this means introducing a 'self'-like keyword. Or
  change the meaning of 'self' to mean only items from the same signed app.
* Make sure that the "cookie jar" used for a signed app is
  different from the "cookie jar" used by unsigned pages opened in
  an <iframe> inside the app. I.e. the signed-ness should be part
  of the key.
Depends on: 769350
This bug should start out with a peer reviewed spec that we can all agree is what we're doing so we don't miss our target later.  Is there an existing one already? is that spec, though its due for an update from the results of the work week. is the spec for now, and I need to update a few things.
blocking-basecamp: --- → ?
No longer depends on: 758269
Not blocking on metabug, Jonas is marking the dependents.
blocking-basecamp: ? → -
No longer depends on: 769568
Alias: trusted-apps
Component: DOM → DOM: Apps
Depends on: 781620
Alias: trusted-apps → privileged-apps
Depends on: 790558
Summary: Implement trusted apps → Implement privileged apps
Depends on: 801783
Depends on: 806624
Depends on: 797657
Depends on: 812198
No longer depends on: 812198
Depends on: 823150
No longer depends on: 823150
Depends on: 821207
Depends on: 824199
No longer blocks: market-packaged-apps
Depends on: 822944
Depends on: 822072
Depends on: 834091
Depends on: 861284
Depends on: 841569
No longer depends on: 822072
No longer depends on: 841569
No longer depends on: 861284
No longer depends on: 801783
Closing - we've finished to work here for v1. For post v1 work, watch bug 863032.
Closed: 11 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.