Closed Bug 756729 (privileged-apps) Opened 13 years ago Closed 12 years ago

Implement privileged apps

Categories

(Core Graveyard :: DOM: Apps, defect)

defect
Not set
normal

Tracking

(blocking-basecamp:-)

RESOLVED FIXED
blocking-basecamp -

People

(Reporter: sicking, Unassigned)

References

Details

(Keywords: meta)

Here's the various pieces we need for this. We should probably do most of the work in dependent bugs in order to keep this bug more sane

For developer-only signing we need:
* Receive the app-developer's public-key from the app-store at installation time.
* Read signatures from the appcache manifest for each loaded resource and verify
  them against the stored public-key

For store-signing (needed in order to implement the ability for a store to review the source of an app) we need:
* Receive a signature for all resources from the app-store at installation time.
  (We could do this by getting a signature from the store for the appcache
  manifest, and then get signatures from the manifest for the individual
  resources from the appcache manifest)
* Receive an updated signature from the store when a appcache update is
  detected.

IMHO we should add both the above capabilities.

Either way we'll also need:
* Flag all nsIPrincipals for a page loaded as part of a secure app. This needs
  to be done such that a is-same-origin check with a nsIPrincipal which does
  not have this flag returns false.
* Ensure that a "minimal CSP policy" is used when loading the signed resources.
  We still need to figure out what that minimal CSP policy will be.
* Add the ability to create CSP policies which says to only allow loading of
  signed resources. Possibly this means introducing a 'self'-like keyword. Or
  change the meaning of 'self' to mean only items from the same signed app.
* Make sure that the "cookie jar" used for a signed facebook.com app is
  different from the "cookie jar" used by unsigned facebook.com pages opened in
  an <iframe> inside the facebook.com app. I.e. the signed-ness should be part
  of the key.
Depends on: 769350
This bug should start out with a peer reviewed spec that we can all agree is what we're doing so we don't miss our target later.  Is there an existing one already?
https://wiki.mozilla.org/Apps/Security is that spec, though its due for an update from the results of the work week.
https://wiki.mozilla.org/Apps/Security is the spec for now, and I need to update a few things.
blocking-basecamp: --- → ?
No longer depends on: 758269
Not blocking on metabug, Jonas is marking the dependents.
blocking-basecamp: ? → -
No longer depends on: 769568
Alias: trusted-apps
Component: DOM → DOM: Apps
Depends on: 781620
Alias: trusted-apps → privileged-apps
Depends on: 790558
Summary: Implement trusted apps → Implement privileged apps
Depends on: 801783
Depends on: 806624
Depends on: 797657
Depends on: 812198
No longer depends on: 812198
Depends on: 823150
No longer depends on: 823150
Depends on: 821207
Depends on: 824199
No longer blocks: market-packaged-apps
Depends on: 822944
Depends on: 822072
Depends on: 834091
Depends on: 861284
Depends on: 841569
No longer depends on: 822072
No longer depends on: 841569
No longer depends on: 861284
No longer depends on: 801783
Closing - we've finished to work here for v1. For post v1 work, watch bug 863032.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.