App developers can supply arbitrary strings for the developer name and URL in their webapp manifest and users currently have no way to get real identity information about them. There is nothing stopping someone from creating an app with the developer name set to "Mozilla" and URL set to "https://www.mozilla.org/" while having an origin of http://evil.com/. A possible mitigation is to include the origin in the developer information section or at least the effective TLD+1 (e.g. bbc.co.uk for an origin of http://www.bbc.co.uk/). These pieces of information are more likely to reflect the contents of the application.
This might be a good question to pose to drivers. Jonas - Thoughts? Can we do anything here?
blocking-basecamp: --- → ?
The one idea is that we disable the UI entirely for v1 and figure it out in a followup release - although that's probably the worst case scenario.
For non-privileged apps we might should indeed make it quite clear that the developer origin/name is not to be trusted, or even more simply completely hide it. I'm not sure that we really need to keep this bug hidden. I'd prefer to open it as the attack is quite obvious and doesn't affect any released products.
(In reply to Jonas Sicking (:sicking) from comment #3) > I'd prefer to open it as the attack is quite obvious and doesn't affect any released products. Fine with me. I was just erring on the side of caution in case we do eventually ship with this issue. I agree that the attack is fairly obvious.
Removing nom and core-security flag - this probably does not block only because third-party apps that will most likely be installed will go through marketplace, which will be reviewed by an app reviewer. However, I'll cc the app reviewers to make sure to check developer data on a review on their review checklist (although it's probably already there).
blocking-basecamp: ? → ---
(In reply to Jason Smith [:jsmith] from comment #5) > However, I'll cc the > app reviewers to make sure to check developer data on a review on their > review checklist (although it's probably already there). We don't check it explicitly though we always glance at the manifest during the review. However, this isn't a security hurdle for a malicious developer - once the app has been approved the manifest can be changed server side and (unless they break the manifest or alter something else like the name too) it won't even be flagged for re-review.
You need to log in before you can comment on or make changes to this bug.