Confirmed users
673
edits
Firefox3/OfflineApps Security Review: Difference between revisions
Jump to navigation
Jump to search
Firefox3/OfflineApps Security Review (view source)
Revision as of 16:04, 13 August 2008
, 13 August 2008→Security and Privacy
(New page: __NOTOC__ == Overview == ''Describe the goals and objectives of the feature here.'' ;Background links * feature-tracking bug links * specs or design docs == Security and Privacy == * Wha...) |
|||
| Line 11: | Line 11: | ||
* Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing? | * Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing? | ||
* Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project. | * Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project. | ||
* A manifest can list an explicit entry that is not same-origin with the application. Say we have a manifest at http://application.com/app.manifest that looks like: | |||
CACHE: | |||
http://application.com/index.html | |||
http://thirdparty.com/frame.html | |||
If http://application.com/index.html includes http://thirdparty.com/frame.html as a child frame, it will be loaded from the application cache and subject to the same network rules as http://www.application.com/index.html (wrt whitelist and fallback entries). Its principal etc. won't change, and it won't have access to its applicationCache object. | |||
Toplevel loads of http://thirdparty.com/frame.html (or subframe loads whose toplevel is not associated with http://application.com/app.manifest) will be handled normally. | |||
== Exported APIs == | == Exported APIs == | ||