On 09/10/2014 01:52 PM, Ehsan Akhgari wrote:
> How would the app know which cookies to remove, though? The solution
> of nuking all cookies doesn't seem ideal, since the app may have other
> cookies used for other purposes that it doesn't want to get rid of
> (that may not be an issue for the email app, but it will be an issue
> for an API callable by arbitrary apps.)
It's definitely a hack. But unless app scopes completely moot the issue
of app cookie jars, it seems like apps should have some ability to clean
that data out that otherwise accumulates until they're uninstalled. I
agree that since it's impossible to know what domains have gotten data,
it really needs to be the nuclear option that blows away all the
cookies, or at least those outside the origin described by the manifest.
An example use-case for this would be me lending my phone to someone.
They login to an account on some app, then remove their account.
Neither of us want any of their data in my phone. I know enough that I
could remove the app and reinstall it to make the data go away. While
some people might then uninstall the app because they don't want it, I
doubt many people would make the connection that they have to uninstall
the app to get rid of the private data pieces.
Perhaps instead the app should be able to trigger a clean reinstall of
itself. so mozApps.getSelf() => requestCleanReinstall(). The app would
be able to say, "hey, since you removed this account, I'd really like to
make sure all the data is gone. Is it okay to reset myself back to
defaults?" This could also be handled by a web activity as long as it's
guarded so nefarious apps can't interfere.
> It seems to me that having a Google Account app that uses app scopes
> to handle all Google OAuth requests and has its own separate cookie
> jar is a much cleaner solution to this problem, and it will also
> address the issues that Jeffrey mentioned.
Replace Google Account app with something that doesn't require every
mail server provider trying to use OAuth2 to create their own Firefox OS
app, and yes, that sounds right. For the record/(my ego :) I did think
of this one too, but since this is a FxOS v2.1-related fire-drill that
involves new l10n strings and precludes creation of entire new apps,
IMAP-OAuth2 cannot currently be generically used until discovery
(
https://mail.mozilla.org/pipermail/tb-planning/2014-April/003245.html)
and dynamic registration
(
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-20) are addressed,
and we would not want to use web activities that can be intercepted by
nefarious apps, this corner was definitely cut. Although I agree we
shouldn't be doing this in general, I think it raised an interesting
question about management of the data "owned" by the app in its cookie
jar but not actually owned enough to be able to manage it at all.
The chrome.identity API that Jeffrey mentioned, at least the
non-Google-specific stuff, seems like it could be a good basis for a
standardized approach to this flow:
https://developer.chrome.com/apps/app_identity#non
https://developer.chrome.com/apps/identity#method-launchWebAuthFlow
Andrew