canmove, Confirmed users
1,220
edits
B2G App Security Model/Threat Model: Difference between revisions
B2G App Security Model/Threat Model (view source)
Revision as of 23:20, 19 March 2012
, 19 March 2012→Potential Countermeasures
No edit summary |
Ptheriault (talk | contribs) |
||
| Line 34: | Line 34: | ||
Web Apps hosted remotely face network threats upon every launch (note that even cached offline apps have their manifest checked upon each launch). Web Apps may (and are expected to) send information back to remote servers or load additional scripts and resources, although this may not be necessary (or appropriate) for critical system Web Apps. | Web Apps hosted remotely face network threats upon every launch (note that even cached offline apps have their manifest checked upon each launch). Web Apps may (and are expected to) send information back to remote servers or load additional scripts and resources, although this may not be necessary (or appropriate) for critical system Web Apps. | ||
====Potential Countermeasures==== | ====Potential Countermeasures==== | ||
* SSL | * TLS/SSL | ||
* HSTS | *[https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security HTTP Strict Transport Security(HSTS)] | ||
* Static Web Apps with use explicit update process | * Static Web Apps with use explicit update process | ||
* Enforce a CSP policy on critical Web Apps | * Enforce a Content Security Policy (CSP) policy on critical Web Apps | ||
** Prevent loading of remote scripts for critical apps | ** Prevent loading of remote scripts for critical apps | ||
** Prevent loading of remote content altogether | ** Prevent loading of remote content altogether | ||