* [https://developer.mozilla.org/en/OpenWebApps OWA developer page]
== Definitions ==* '''WebApp''' - An application developed with web technologies (JS/HTML/CSS). May contain dynamic and static content* '''Native App''' - A WebApp consisting solely of static content and run on a B2G capable device* '''Gaia App''' - '''DEFINITION REQUIRED'''* '''B2G App''' - '''DEFINITION REQUIRED''' which is meaningful in the context of the above app definitions* '''Store''' - A marketplace where a user may download/purchase WebApps for their device* above definition are up for discussion* '''Extended Validation (EV) Certificate''' - A SSL certificate that undergoes additional authentication / verification steps before issuance.** [http{{:Apps//www.cabforum.org/certificates.html Explanation]** [http://www.cabforum.org/vetting.html Verification process]* '''Content Security Policy (CSP)''' - A mechanism by which website administrators can define a policy which restricts what domains a website can load resources from** [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html Specification]* '''XPCOM''' - a Common Object Model that is 'inspired by' Microsoft's COM. It is reasonably feature-complete but does not contain co-classes. The implementation is also entirely missing a marshalling / unmarshalling (serialisation) layer.* '''ncalrpc''' - a local networking protocol that is used in Microsoft's COM to efficiently communicate data between COM clients and COM servers that are on the same machine. http://msdn.microsoft.com/en-us/library/windows/desktop/aa378665%28v=vs.85%29.aspx'''Important reading!''' B2G applications are Open Web Apps, you can read about them here: https://developer.mozilla.org/en-US/apps === Concepts to be given Official Definitions === There is no real easy way to distinguish the following, all of which are iframes (!) in the B2G environment. There is some considerable confusion as a result, especially due to the fact that the required security context and especially the interactions between parent and child iframes are ''different'' depending on the type of iframe. Names really therefore need to be given to the following: * the root frame (top-level one into which the top gaia HTML is loaded)* individual gaia apps (sub-iframes, one per app)* any gaia app that opens up a public-facing (URL-based) iframe in which the contents of a URI are displayed: the browser app is one such* iframes *within* that iframe - as in "iframes that you normally think of iframes being used for as an ordinary web developer". Discussion which raises the issue of confused definitions, helps clarify them:https://groups.google.com/d/msg/mozilla.dev.b2g/AQYPkIjKxjE/WYy0LPta9cMJ=== App instance / version === (''Note: this section is very much in an informal style that includes definitions, discussion as well as functional analysis. it should be analysed and split up appropriately.'') * Possible definitions of what an app instance / version is*# a static bundle of code authenticated by manifest + signature (or equivalent)*# a dynamic stream of code authenticated by a specific origin (same origin applied, all assets must be loaded from https://<a host>)*# an initial loader authenticated by a specific origin (https://<a host>), which can then load whatever it wants*# unauthenticated code loaded over any channel, from any origin* loosely ordered from best to worst (descending) security wise* 1) and 2) could work with additional security controls* attacker can use option 2) as a proxy for malicious content* attacker can use option 2) as proxy to paid app (buy once, share with world)** mitigation for this may be responsibility of app developer* CSP can secure 1) and 2) to an extent** define baseline CSP policy that apps have to adopt* See [https://www.adobe.com/devnet/air/articles/introduction_to_air_security.html Intro to AIR security]}}
== Bugs ==
