Confirmed users
716
edits
Apps/SecurityDetails: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 168: | Line 168: | ||
=== App Review === | === App Review === | ||
The store is responsible for reviewing the app to ensure that it doesn't do anything dangerous with the permissions it is granted. | |||
Since the OpenWebApps API allows any website to become a store, only stores approved by B2G will be allowed to | |||
=== App Signing === | === App Signing === | ||
''Definition of the signing format goes here. Brian Smith is working on this.'' | |||
=== Default CSP policy === | === Default CSP policy === | ||
The CSP policy applied to all trusted apps is: | |||
<code>default-src *; script-src 'self'; object-src 'none'; style-src 'self'</code> | |||
This puts the following restrictions on pages in privileged apps: | |||
* Scripts can only be loaded from the package. | |||
* Scripts can not use data:-URIs | |||
* Inline scripts can not be used | |||
* eval() can not be used. Neither can eval-like functions like setTimeout or "new Function". setTimeout can still be used as long as the first argument is a Function object rather than a string. | |||
* onXXX attributes can't be used in the markup of pages. You can still write javascript code like <code>myelement.onXXX = someFunction;</code> as long as you don't assign onXXX to a string, but rather to a Function object. | |||
* <object>, <embed> and <applet> are fully disabled. In other words, plugins won't work at all. Including flash. | |||
* CSS can only be loaded from the package. Inline CSS is however allowed. | |||
This does not restrict any of the following: | |||
* <code><iframe>s</code> can still point to any URL | |||
* Images can still be loaded from anywhere. Including when loaded using an <code><img></code> element, when using CSS background images or when using other types of CSS images. | |||
* Network connections can still be opened anywhere using data-centric APIs like <code>XMLHttpRequest</code> or <code>WebSocket</code>. | |||
== permission manager == | == permission manager == | ||