Changes

*No same-origin restrictions for app content; same origin still enforced for non-app content.

Some permissions are sensitive enough that we don't want just any webapp to get access to it. For example, the DeviceStorage API lets a website delete all the pictures in the user's "pictures folder". The API implementation does ask the user for permission before doing this, however we don't feel that it is enough protection for the user if the only thing standing behind the user and 10 years of lost pictures is a simple "do you want to allow this" dialog.

* The app will use a [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html CSP] policy to harden the app itself against bugs which would allow an attacker to inject code into the app. This will also make reviewing the app easier.

The CSP policy applied to all privileged and certified apps is: