Confirm
717
edits
Changes
→Open questions for trusted & certified apps
Its not clear this is an issue for the security model to solve however, and would be better solved via an explicit consumption API that can help the user manage and limit resource utilization. Considered out of scope for the security model in general.
===Application Scope===
Foundational assumption was that there was only one app per domain. This is because an origin is effectively the only security boundary in the browser, and determining the security implications of allowing apps with different permissions on the same domain is a time consuming exercise for the 1.0 timeframe.
===Background Apps===
Apps running in the background may trigger permission requests. Since app requests should be in context of the user's interaction with the app, we should suppress any permission requests for non-foreground apps. It is up the developer to properly surface permissions requests while the app is interacting with the user.
===Services===
Services need to be certified apps as they have no way of surfacing permission requests to users. This means we should minimize the set of use cases that absolutely require true services.
===Power User===
Power users should be able to override the default trust roots to allow them to install arbitrary apps as trusted or certified. This is highly dangerous and should include a correspondingly strong disclaimer.
