(Sorry to change from dev-webapi to dev-b2g, but I think dev-b2g is better given the size of these changes). First off, I think we should get rid of "apps" as a platform feature. This doesn't need to mean that we should change the UX of B2G. That is a separate consideration. But we should get rid of cookie jars. And accept the web for the big goop of content that it is :) We could add features to allow websites to indicate that it wants the security protections that the current cookie jars support. But per the above, that's not a feature that we should push through FirefoxOS alone. If it's something that we think is important, we should push it as a web feature together with Firefox desktop and other browser vendors.
This is nice... but I believe it's ultimately futile. It works for well known, giant developers... I could say I trust Google, or Mozilla, or Facebook... but I don't think it'll work for Pop&Mom SW, Inc. How would Mozilla know if they should trust them and with what APIs?I think we should also keep exposing "sensitive APIs", both to gaia and to 3rd party developers. Converting all the email servers in the world to use CORS simply isn't realistic. But we should make improvements in how these APIs are exposed. I do think that we still want code that uses these "sensitive APIs" to be signed. However that doesn't mean that we have to keep using the same model, of app:-protocol and installable zip files that we currently use. There's a few things that I think would be great to accomplish for content that uses these sensitive APIs: * Enable the user to simply navigate to content which uses sensitive APIs, without the need to install it first. I.e. enable the content to be available through "real" linkable URLs. * Enable developers to sign the content without going through a marketplace review. I.e. enable developers to distribute and updated version of their content without having to go through marketplace review. * Enable Marketplace to hand out the ability to use a particular API to a developer, rather than to a particular version of a particular app.
This is what I was talking before about the jars :).* Remove technical separation between "privileged" and "certified" APIs. We can still decide not to grant any third party content the ability to use, for example, the power API, by simply not granting the right to use that API to any developers other than gaia developers. But the client-side code doesn't need to make that decision. * While I think signed content that can use sensitive APIs should have real URLs, I think it needs to never be same-origin with unsigned "normal" content. * It would be good if we can keep the process separation advantages that we currently have for content that can use "sensitive APIs". I.e. it would be nice if it required more than finding a buffer overflow bug in Gecko in order to gain access to use the telephony API. But it'd be good if we can hide this fact as much as possible from web developers.
Again, self signature without revision only means something if the signer is really trustable. And you can only know that if you know the signer. Which isn't really doable on the wild web. Otherwise, it's just security theater, and it's only good for antimalware companies (which are the ones that benefit more from Android's model :P).* I think we should still keep the CSP requirements that we have for content that uses "sensitive APIs". I.e. all JS that can use those APIs has to be signed by the developer.
The problem here is that we need people using those APIS (or maybe new ones?) for the platform to move out of the "cheap smartphone for people that only had feature phones before" segment. And the second problem is that bootstrapping this requires those APIs to be useable in some form for the rest of the web.What signing format to use, and how to keep it not same-origin as unsigned content, is probably best done as a separate thread. Hopefully we can get agreement on the rest of this thread without solving that part. I also think we need to stop worrying so much about that these APIs aren't standardized. It simply isn't in our power to make these really standardized. It requires that other vendors are actually willing to work together with us on aligning APIs, and I just haven't seen that. And more importantly, very little content is using these APIs. The web is far greater. Even developers that target FirefoxOS specifically are 90-95% of the time able to write their content without using these APIs.
This is actually a very nice way of making those APIs 'reusable' :).That said, if anyone wants to make an effort and reach out to other vendors to get agreement on any API, feel free to give it a try. The only thing that I could see being successful in the short term would be to simply adopt APIs from other platforms. Cordova and Node.js would be prime candidates here I think. If anyone has suggestions for APIs that you think would be good candidates, please let me know.
Hmm... I think that while those things would be nice to have, on a geeky way, we might be losing sight of the target. Replacing the dialer is a nice configuration option, if we can do it (well, not replacing, *adding* a new dialer because I think replacing the certified one is a no-go from a certification point of view), but the phone already *has* a dialer. What we should worry about is giving developers enough tools to do things the phone doesn't have but other phones do. For example:As mentioned above, I think there's still some APIs that I'm very nervous about exposing to 3rd party websites. For example, enabling placing phone calls through direct calls to the API, rather than by using <a href="tel:..."> or a WebActivity seems like inviting malware. It's also not a terribly good way to enable users to replace the built-in dialer. Since the user would still have the built-in dialer. A better solution to enable replacing the dialer UI might be to use some form of addon system. An addon which tweaked, or completely replaced, the built-in dialer UI would be awesome.
Maybe we're going at this the wrong way... and instead of seeing what APIs we have or would like to have we should look at what applications we want our ecosystem to have, and what is needed to implement those applications. I know we learned a lot about
what was missing while writing the Firefox Hello app.
Likewise an addon which sat between the dialer and the actual phone hardware, and did things like block lists, or changed incoming and/or outgoing phone numbers would be great. Or addons which encrypt the voice audio when calling friends which has the same addon. Addons have been great for Firefox desktop. I think it can be as awesome for FirefoxOS, if not more so. Addons will definitely be Firefox(OS) specific. But no more so than the telephony API is, and is likely to remain for the foreseeable future. Again, I think how exactly how these addons will work is a better topic for a separate thread. In summary: On a technical level we'd be much more like the web has traditionally been. I.e. no cookie jars or app silos. The user can navigate between any content by following normal links. This will include content that use "sensitive APIs". The only content distinction we'd end up with is "signed" vs. "unsigned". And to the user both would look like normal web. The "signed" content will be FirefoxOS specific until we find others which are interested in collaborating on APIs, which isn't expected to be soon. But to put this in perspective, the vast majority of authors are able to author content without using these APIs. On a technical level, Gaia would just be normal signed content. The distinction between "certified" and "privileged" disappear. Though we can still choose on a per-API and per-developer basis which API we allow what developers to use. Though UX-wise we might still want to give gaia special treatment. Users can install addons which change the behavior of other content. This will include both change behavior of gaia, as well as of signed and unsigned websites. Let me know what you think. / Jonas _______________________________________________ dev-b2g mailing list dev...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g
First off, I think we should get rid of "apps" as a platform feature.
What I don't necessarily think we should get rid of is the app registry.
One thing that other vendors (Google/Microsoft/Apple/Intel) *are* currently showing a lot of interest in is installable hosted web apps using a standard web app manifest [4]. The manifest can be used to describe a part of the web as a web app which can break out of the browser and register to handle a defined URL scope as a standalone app on the OS (Android, Windows 10, Firefox OS etc.). The W3C spec defines an "application context" as a browsing context with a manifest applied, which can have a different display mode with no browser chrome like "standalone" or "fullscreen" for a defined URL scope.
I think the app registry is still useful as a place to register an app as handling a particular URL scope. The W3C spec does not define an app installation API (for use by an app store), but instead defines an HTML manifest link relation (for use by a user agent which can detect it and provide UI to offer to install the app). This allows web apps to be discovered simply by searching and browsing the web rather than distributed through a central app store. We can still use our proprietary mozApps install API to do this internally from browser chrome in the built-in system app or bookmark app (signed Firefox apps) which could provide that UI (this is actually already landed in master). I think this registry needs to be maintained in Gecko so it knows how to handle any given HTTP navigation.
* Enable the user to simply navigate to content which uses sensitive
APIs, without the need to install it first. I.e. enable the content to
be available through "real" linkable URLs.
* Enable developers to sign the content without going through a
marketplace review. I.e. enable developers to distribute and updated
version of their content without having to go through marketplace
review.
* While I think signed content that can use sensitive APIs should have
real URLs, I think it needs to never be same-origin with unsigned
"normal" content.
The only content distinction we'd end up with is "signed" vs.
"unsigned". And to the user both would look like normal web.
The "signed" content will be FirefoxOS specific until we find others
which are interested in collaborating on APIs, which isn't expected to
be soon. But to put this in perspective, the vast majority of authors
are able to author content without using these APIs.
Let me know what you think.
On 10/03/2015 1:23, Jonas Sicking wrote:* Enable Marketplace to hand out the ability to use a particular API to a developer, rather than to a particular version of a particular app.This is nice... but I believe it's ultimately futile. It works for well known, giant developers... I could say I trust Google, or Mozilla, or Facebook... but I don't think it'll work for Pop&Mom SW, Inc. How would Mozilla know if they should trust them and with what APIs?The model we have right now sucks: it's slow to deploy, it's slow to update, it's not similar to the rest of the web, at all (it's basically Apple's model on a smaller scale, in other words). But as a user I can be reasonably secure that whatever I install will use only the permissions it needs, and won't get my data and run with it. But just giving access to random developers, which will then do whatever they want with that permission is the same as opening the permissions to everyone, only more complicated to implement.
On 10/03/2015 1:23, Jonas Sicking wrote:
(Sorry to change from dev-webapi to dev-b2g, but I think dev-b2g is better given the size of these changes). First off, I think we should get rid of "apps" as a platform feature. This doesn't need to mean that we should change the UX of B2G. That is a separate consideration. But we should get rid of cookie jars. And accept the web for the big goop of content that it is :) We could add features to allow websites to indicate that it wants the security protections that the current cookie jars support. But per the above, that's not a feature that we should push through FirefoxOS alone. If it's something that we think is important, we should push it as a web feature together with Firefox desktop and other browser vendors.
>From a security point of view, I think the cookie jar model is much better than having everything on the same pile. Maybe rather than getting rid of that, or even making it an opt-in feature we could try and hide the implementation details from the content. So we keep a cookie jar per origin (instead of per-app as we do know, which is really the same since we can only have one app per origin) and every time that origin is loaded it uses it's own cookie jar.
To keep this isolated at a process level this would mean changing the way the processes work (having one process per origin instead of one process per app, for example, so every window that's loaded for https://a.origin.com lives on the same process independently of where that window was defined)... but that should be transparent to content developers.
I think we should also keep exposing "sensitive APIs", both to gaia and to 3rd party developers. Converting all the email servers in the world to use CORS simply isn't realistic. But we should make improvements in how these APIs are exposed. I do think that we still want code that uses these "sensitive APIs" to be signed. However that doesn't mean that we have to keep using the same model, of app:-protocol
and installable zip files that we currently use. There's a few things that I think would be great to accomplish for content that uses these sensitive APIs: * Enable the user to simply navigate to content which uses sensitive APIs, without the need to install it first. I.e. enable the content to be available through "real" linkable URLs. * Enable developers to sign the content without going through a marketplace review. I.e. enable developers to distribute and updated version of their content without having to go through marketplace review. * Enable Marketplace to hand out the ability to use a particular API to a developer, rather than to a particular version of a particular app.
This is nice... but I believe it's ultimately futile. It works for well known, giant developers... I could say I trust Google, or Mozilla, or Facebook... but I don't think it'll work for Pop&Mom SW, Inc. How would Mozilla know if they should trust them and with what APIs?
The problem here is that we need people using those APIS (or maybe new ones?) for the platform to move out of the "cheap smartphone for people that only had feature phones before" segment. And the second problem is that bootstrapping this requires those APIs to be useable in some form for the rest of the web.What signing format to use, and how to keep it not same-origin as unsigned content, is probably best done as a separate thread. Hopefully we can get agreement on the rest of this thread without solving that part. I also think we need to stop worrying so much about that these APIs aren't standardized. It simply isn't in our power to make these really standardized. It requires that other vendors are actually willing to work together with us on aligning APIs, and I just haven't seen that. And more importantly, very little content is using these APIs. The web is far greater. Even developers that target FirefoxOS specifically are 90-95% of the time able to write their content without using these APIs.
This is actually a very nice way of making those APIs 'reusable' :).That said, if anyone wants to make an effort and reach out to other vendors to get agreement on any API, feel free to give it a try. The only thing that I could see being successful in the short term would be to simply adopt APIs from other platforms. Cordova and Node.js would be prime candidates here I think. If anyone has suggestions for APIs that you think would be good candidates, please let me know.
Hmm... I think that while those things would be nice to have, on a geeky way, we might be losing sight of the target. Replacing the dialer is a nice configuration option, if we can do it (well, not replacing, *adding* a new dialer because I think replacing the certified one is a no-go from a certification point of view), but the phone already *has* a dialer. What we should worry about is giving developers enough tools to do things the phone doesn't have but other phones do. For example:As mentioned above, I think there's still some APIs that I'm very nervous about exposing to 3rd party websites. For example, enabling placing phone calls through direct calls to the API, rather than by using <a href="tel:..."> or a WebActivity seems like inviting malware. It's also not a terribly good way to enable users to replace the built-in dialer. Since the user would still have the built-in dialer. A better solution to enable replacing the dialer UI might be to use some form of addon system. An addon which tweaked, or completely replaced, the built-in dialer UI would be awesome.
- IM applications (be it Whatsapp, Line, Telegram, Wickr, whatever, it should be doable on the new model).
- VoIP applications (Skype). We already have Firefox Hello, which is nice, and it's packaged, and it uses a bunch of privileged APIs and another bunch of "they're privileged but only for you" APIs.
- Richer calendar apps with support for public and private servers (Exchange, Google,... whatever) which might or might not have a nice REST/HTTP API.
- File browser (since we do have a SD card that can be mounted)
- Wearable APIs (ok, reaching for the moon here but it's something big that will only get bigger)
Maybe we're going at this the wrong way... and instead of seeing what APIs we have or would like to have we should look at what applications we want our ecosystem to have, and what is needed to implement those applications. I know we learned a lot about what was missing while writing the Firefox Hello app.
(Sorry to change from dev-webapi to dev-b2g, but I think dev-b2g is
better given the size of these changes).
On Wed, Feb 4, 2015 at 4:49 AM, Benjamin Francis <bfra...@mozilla.com> wrote:
> One potential answer is that:
>
> - Privileged hosted web apps can be self-signed by developers (using a
> certificate issued by an issuer with a CA root Authority installed in
> Firefox OS) and users must decide whether to trust the developer. Mozilla
> could choose to become an issuer of free certificates (as we are with Let's
> Encrypt) but would not be the sole issuer.
> - Certified apps become a new type of chrome which happens to use HTML5
> as a markup language. If we want third parties to be able to build apps or
> extensions to this chrome then they become a new type of chrome extension
> which can only be signed by Mozilla. Firefox OS apps/extensions would by
> definition be Firefox OS-only.
Hi All,
This matches pretty closely with my thinking as of late.
I think there are a few things that we need to realize and accept.
First off, it's really hard to "move the web". Especially with a
marketshare as long as FirefoxOS has. If we're going to stand any
chance of actually changing web developer behavior at large, we need
at the very least Firefox for Android and Firefox desktop to push for
the same changes. But realistically also other browser vendors.
In this light, I would say that some of our efforts of trying to make
the web more "appy" has been a mistake. Though one that we've learned
a lot from I think. We should make sure that this experience is used
as we work on standards like web manifests and web activities.
Second, I think we need to accept the fact that some of the APIs that
are needed to build a complete OS simply aren't safe to expose to
untrusted content authors.
As long as the web maintains a model that content can be consumed
without users having to worry about security concerns, and be
published without any need to go through reviews, there has to be
limits on what type of content that can be created. And I think
there's broad agreement here that we don't want to give up that model.
I don't think statements like "being able to write an irc client is a
minimum" is really fair. We could likewise say "being able to run an
run any software without worrying that it's going to reconfigure your
router is a minimum", which is a statement that all other platforms
fail.
That said, I'm all ears for constructive ideas for how we can solve
shortcomings of the web platform. But I also think we should also keep
this in perspective. There's a lot of content on the web. All of it
has been built without access to these APIs. Even for content that is
explicitly built for FirefoxOS and submitted to the Firefox
marketplace, only about 5-10% need these APIs.
Third, there is essentially no interest from other browser vendors to
"standardize" or even get alignment on APIs that can't be exposed to
normal webpages.
Google is about as interested in aligning their chrome apps APIs with
our APIs, as they are to listen to us about what their Android APIs
should look like. Other vendors have shown about the same amount of
interest.
There just isn't much value in anyone changing their APIs. Authors
aren't really asking for it, and the platforms are different enough
that authors wouldn't see large benefits anyway.
One interesting question to ask here is, would we be interested in
adopting Tizen's API for, for example, SD card access? Or Chrome-app's
API for TCPSocket?
So what does this mean that we should do?
First off, I think we should get rid of "apps" as a platform feature.
This doesn't need to mean that we should change the UX of B2G. That is
a separate consideration.
But we should get rid of cookie jars. And accept the web for the big
goop of content that it is :)
We could add features to allow websites to indicate that it wants the
security protections that the current cookie jars support. But per the
above, that's not a feature that we should push through FirefoxOS
alone. If it's something that we think is important, we should push it
as a web feature together with Firefox desktop and other browser
vendors.
I think we should also keep exposing "sensitive APIs", both to gaia
and to 3rd party developers. Converting all the email servers in the
world to use CORS simply isn't realistic. But we should make
improvements in how these APIs are exposed.
I do think that we still want code that uses these "sensitive APIs" to
be signed. However that doesn't mean that we have to keep using the
same model, of app:-protocol and installable zip files that we
currently use.
There's a few things that I think would be great to accomplish for
content that uses these sensitive APIs:
* Enable the user to simply navigate to content which uses sensitive
APIs, without the need to install it first. I.e. enable the content to
be available through "real" linkable URLs.
* Enable developers to sign the content without going through a
marketplace review. I.e. enable developers to distribute and updated
version of their content without having to go through marketplace
review.
* Enable Marketplace to hand out the ability to use a particular API
to a developer, rather than to a particular version of a particular
app.
* Remove technical separation between "privileged" and "certified"
APIs. We can still decide not to grant any third party content the
ability to use, for example, the power API, by simply not granting the
right to use that API to any developers other than gaia developers.
But the client-side code doesn't need to make that decision.
* While I think signed content that can use sensitive APIs should have
real URLs, I think it needs to never be same-origin with unsigned
"normal" content.
* It would be good if we can keep the process separation advantages
that we currently have for content that can use "sensitive APIs". I.e.
it would be nice if it required more than finding a buffer overflow
bug in Gecko in order to gain access to use the telephony API. But
it'd be good if we can hide this fact as much as possible from web
developers.
* I think we should still keep the CSP requirements that we have for
content that uses "sensitive APIs". I.e. all JS that can use those
APIs has to be signed by the developer.
What signing format to use, and how to keep it not same-origin as
unsigned content, is probably best done as a separate thread.
Hopefully we can get agreement on the rest of this thread without
solving that part.
I also think we need to stop worrying so much about that these APIs
aren't standardized. It simply isn't in our power to make these really
standardized. It requires that other vendors are actually willing to
work together with us on aligning APIs, and I just haven't seen that.
And more importantly, very little content is using these APIs. The web
is far greater. Even developers that target FirefoxOS specifically are
90-95% of the time able to write their content without using these
APIs.
That said, if anyone wants to make an effort and reach out to other
vendors to get agreement on any API, feel free to give it a try.
The only thing that I could see being successful in the short term
would be to simply adopt APIs from other platforms. Cordova and
Node.js would be prime candidates here I think. If anyone has
suggestions for APIs that you think would be good candidates, please
let me know.
As mentioned above, I think there's still some APIs that I'm very
nervous about exposing to 3rd party websites. For example, enabling
placing phone calls through direct calls to the API, rather than by
using <a href="tel:..."> or a WebActivity seems like inviting malware.
It's also not a terribly good way to enable users to replace the
built-in dialer. Since the user would still have the built-in dialer.
A better solution to enable replacing the dialer UI might be to use
some form of addon system. An addon which tweaked, or completely
replaced, the built-in dialer UI would be awesome.
Likewise an addon which sat between the dialer and the actual phone
hardware, and did things like block lists, or changed incoming and/or
outgoing phone numbers would be great. Or addons which encrypt the
voice audio when calling friends which has the same addon.
Addons have been great for Firefox desktop. I think it can be as
awesome for FirefoxOS, if not more so.
Addons will definitely be Firefox(OS) specific. But no more so than
the telephony API is, and is likely to remain for the foreseeable
future.
Again, I think how exactly how these addons will work is a better
topic for a separate thread.
In summary:
On a technical level we'd be much more like the web has traditionally
been. I.e. no cookie jars or app silos. The user can navigate between
any content by following normal links. This will include content that
use "sensitive APIs".
The only content distinction we'd end up with is "signed" vs.
"unsigned". And to the user both would look like normal web.
The "signed" content will be FirefoxOS specific until we find others
which are interested in collaborating on APIs, which isn't expected to
be soon. But to put this in perspective, the vast majority of authors
are able to author content without using these APIs.
On a technical level, Gaia would just be normal signed content. The
distinction between "certified" and "privileged" disappear. Though we
can still choose on a per-API and per-developer basis which API we
allow what developers to use. Though UX-wise we might still want to
give gaia special treatment.
Users can install addons which change the behavior of other content.
This will include both change behavior of gaia, as well as of signed
and unsigned websites.
Let me know what you think.
I do think that the registry can be simplified compared to what it is today.
What we basically need is a bookmark registry. Which maintains a list
of which pages/manifests that the user has bookmarked.
I would imagine that exactly what we do will depend on various UX
decisions. Such as how to implement display modes.
I think we need to get more UX input on this stuff.