"They use a minimum CSP policy in all pages in the app."
- What is in this minimum policy? Is this automatic? If it is, can the author override it? How does this work with resources on CDNs and other domains? Is there any reporting done where the author can debug? This will potentiallly block all add-ons, for good or bad - there are still open bugs on CSP.
Hopefully Apps/SecurityDetails answers these questions. Linking to CDNs will work just as normal, though ideally you wouldn't need CDNs as much since the resources will be located in the package.
Access to app:// resources
- How would I go about accessing my app:// resources practically?
- Just like with normal http:// urls.
- Are all the resources accessed via app:// stored in the zip archive?
- Where can it be accessed? Not via the web, but within a web app, right?
Need an end to end example
- A practical example using either actual code or pseudocode could help explain this better that shows:
- Installing of the packaged app on a per platform basis
- Launching of the packaged app on a per platform basis
- Accessing of app:// resources
- File structure of the zip archive
- Can users install new versions of an app from a different store?
- Not right now. For that to work we need to define a concept of app identity.