Confirmed users
514
edits
Apps/PackagingProposal: Difference between revisions
→Packaging for Trusted and Certified apps
BillWalker (talk | contribs) |
BillWalker (talk | contribs) |
||
| Line 37: | Line 37: | ||
To make things more similar to how web pages normally work, we could allow pages from <tt>app://developer.com/</tt> to make network requests to | To make things more similar to how web pages normally work, we could allow pages from <tt>app://developer.com/</tt> to make network requests to | ||
http://developer.com. I.e. the app would be allowed to open XMLHttpRequest connections to http://developer.com/ <http://developer.com/.>myapi.cgi without requesting any special privileges. Likewise | http://developer.com. I.e. the app would be allowed to open XMLHttpRequest connections to http://developer.com/ <http://developer.com/.>myapi.cgi without requesting any special privileges. Likewise images and videos loaded from <tt>http://developer.com</tt> would not be considered cross-origin for example for the purposes of tainting when drawn into a <tt><canvas></tt>. This way most of the code which would work for a website would work in a packaged app, except that the packaged app would have to ensure to use absolute URLs when wanting to connect to the website. | ||
In order to keep applications isolated from each other (except through explicit APIs like WebActivities) the app:// protocol always maps to loading from the package that the load is initiated from. Consider a user which has a facebook app and a google maps app installed. Whenever the facebook app loads an app:// URL, we always look in the package which contains the facebook app. If the resource isn't found there we return a 404 error. I.e. we never even look at the google maps package, even the facebook app tries to load something like <tt>app://google.com/map.html</tt>, the result is simply a 404. This also means that it's not a problem to install two apps from google which both contains the same <tt>app:// google.com/library.js</tt> URL. Each app would simply load the library.js file from its own package. | In order to keep applications isolated from each other (except through explicit APIs like WebActivities) the <tt>app://</tt> protocol always maps to loading from the package that the load is initiated from. Consider a user which has a facebook app and a google maps app installed. Whenever the facebook app loads an app:// URL, we always look in the package which contains the facebook app. If the resource isn't found there we return a 404 error. I.e. we never even look at the google maps package, even the facebook app tries to load something like <tt>app://google.com/map.html</tt>, the result is simply a 404. This also means that it's not a problem to install two apps from google which both contains the same <tt>app:// google.com/library.js</tt> URL. Each app would simply load the library.js file from its own package. | ||
There are still lots of parts that we need to figure out. First of all we need to define an exact format for the package. There are lots of formats out there for signed packages, .jar which is commonly used by java, .xpi which Firefox uses for addons, .crx used by Chrome, etc. We can either pick an existing one, or design a new one. I'll explicitly declare it off topic for this thread to come up with the specific format. Please start separate threads about that. | There are still lots of parts that we need to figure out. First of all we need to define an exact format for the package. There are lots of formats out there for signed packages, .jar which is commonly used by java, .xpi which Firefox uses for addons, .crx used by Chrome, etc. We can either pick an existing one, or design a new one. I'll explicitly declare it off topic for this thread to come up with the specific format. Please start separate threads about that. | ||