On Tue, Jun 10, 2014 at 11:10 PM, Jonas Sicking <
jo...@sicking.cc> wrote:
I would say start with exposing the 'mozbrowserloadstart' and
> 'mozbrowserloadend' events and nothing else.
>
So could we just fire those events on iframes which specify the mozapp
attribute, even if the mozbrowser attribute isn't specified?
>
> > 1. Requesting only the "embed-webapps" permission allows you to do:
> >
> > <iframe mozapp="
http://foo.com/manifest.webapp">
> >
> > ...which gives you a reduced browser API and restricts the iframe to the
> > scope of the app defined by the manifest URL in the mozapp attribute.
> This
> > allows you to safely embed an app as a widget.
>
> I don't want to expose this capability to 3rd party apps, as it allows
> the 3rd party app to launch clickjacking attacks against the embedded
> app.
>
It seems you do want to allow third party apps to embed other apps, but in
a more controlled way.
The web in general has the same risk of clickjacking attacks and web pages
have a an "opt-out of being embedded" mechanism with "X-Frame-Options
DENY". It sounds like what you're saying is that for privileged apps the
default should be the equivalent of "X-Frame-Options DENY" and pages of
apps should be able to opt-in to being embedded with the equivalent of
"X-Frame-Options ALLOW-FROM <url>"?
> > 2. Requesting the "browser" permission allows you to do:
> >
> > <iframe mozbrowser>
> >
> > ... which gives you full access to the browser API and the frame can
> > navigate to any URL.
>
> This will not use the right cookie jar for the embedded page. And if
> it did, it would allow launching clickjacking attacks against the
> embedded page.
>
I'm not proposing any changes here, this would still be used for the use
cases it is used for today (i.e. building a browser).
>
> > 3. Requesting both embed-webapps and browser allows you to do:
> >
> > <iframe mozbrowser mozapp="
http://foo.com/manifest.webapp">
> >
> > ... which gives you full access to the browser API and restricts the
> iframe
> > to the scope of the app defined by the manifest URL in the mozapp
> attribute.
> >
> >
> > I understand that one of the requirements is that an app can control
> whether
> > or not it can be embedded in another app. Note that the web already has a
> > solution to this problem in the form of the X-Frame-Options HTTP response
> > header [1] which an app can use to ask not to be rendered inside an
> iframe.
> > We ignore these headers when the mozbrowser attribute is set on an
> iframe to
> > allow the embedder to act as a browser. But in example 1 above, an app
> could
> > use this header to ask not to allow itself to be embedded as a widget in
> an
> > iframe without the mozbrowser attribute.
>
> How would a page protect itself from being iframed by random untrusted
> content, while still allowing itself to be opened by a trusted party
> such as the browser app or the homescreen?
>
The browser app can frame any content because the mozbrowser attribute
means it ignores X-Frame-Options headers.
Gecko supports an "ALLOW-FROM <uri>" value for the X-Frame-Options header
so that you can specify trusted embedder apps like
homescreen.gaiamobile.org.
The one thing this doesn't support is allowing a page to be embedded in a
particular "class" of app, like 'positions: ["homescreen", "lockscreen"]'
in your original proposal. Maybe that is something we need. That does seem
to be quite specific to a particular UX though and I do wonder how easy
that might be to standardise in future?
I'm still not convinced that embedding "widgets" is any different to
embedding "apps" in general or that "widgets" are even a new class of thing
that we need. But I am happy to be convinced otherwise.
As far as I can tell this all seems to already exist on the web. It may be
that we need to hack some more HTTP-like semantics into the app:// protocol
to make it work for packaged apps though.