FirefoxOS/New security model/2.5 Status

Summary

• Usable developer prototype is landed.
• Developers can create and host signed packages which can be navigated to in the browser.
• Signed packages can request any permission and packages are loaded properly in isolated child process
• Known limitations:
  • Some APIs depend on existing App infrastructure and need to be refactored
  • No support for “Pinning” signed packages
• Still landing bug fixes as possible (but prioritising 2.5 blockers instead)

Detailed Status

For 2.5 the following is supported:

• Signed package support can be enabled by a preference
• Tool available for developers to package and sign their own content
• Signed packages are able to use certified & priviliged APIs (some limitations, see below)
• Signed packages are hosted on a web server and navigated to in the browser
• Signed packages load in isolated content processes (i.e. transparent process switching)
• Packages will update (inline with normal HTTP semantics)
• Signed packages are granted an isolated data jar (however web content that signed packages load is in the regular web cookie jar)

Not available in 2.5:

• The ability to "pin" signed packages and actions that depend on pinning:
  • http cache pinning of packages (i.e. packages currently follow normal web semantics, not available offline unless http cached)
  • Registration of web activities & system messages
• Service worker support
• Known issues with some APIs which depend on existing app concepts (notably system messages are not yet supported)
• Process switching away from signed packages isn’t working yet (only switching _to_ the package)

Key "blocking" bugs: (none really block since nsec is not blocking 2.5, but these are priority to get landed to improve dev experience)

• bug 1180088 - fixing an app permission which prevent some permissions being available to signed packages
• bug 1178526 - important to ensure the segregation between the signed packages, and the web server they are hosted on
• bug 1178448 - allows devs to sign packages with their own certificates (rather than bypassing signature checks)