|
|
| Line 1: |
Line 1: |
| Background: Priveleged Packages
| | Delete me |
| | |
| | |
| --gc0pJq0M:08jU534c0p
| |
| Content-Location: /index.html
| |
| Content-Type: text/html
| |
| | |
| <html>
| |
| <head>
| |
| <script src="scripts/app.js"></script>
| |
| ...
| |
| </head>
| |
| ...
| |
| </html>
| |
| | |
| --gc0pJq0M:08jU534c0p
| |
| Content-Location: /scripts/app.js
| |
| Content-Type: text/javascript
| |
| | |
| module Math from '/scripts/helpers/math.js';
| |
| ...
| |
| | |
| --gc0pJq0M:08jU534c0p
| |
| Content-Location: /scripts/helpers/math.js
| |
| Content-Type: text/javascript
| |
| | |
| export function sum(nums) { ... }
| |
| ...
| |
| | |
| --gc0pJq0M:08jU534c0p--
| |
| | |
| | |
| == Privileged Packages ==
| |
| | |
| | |
| | |
| Page is denoted as part of a privileged app by setting two headers:
| |
| manifest: https://example.com/app/someapp.webmanifest
| |
| manifest-signature: MRjdkly.... (Base64 JWS Signature)
| |
| | |
| The normal loading process is:
| |
| #Gecko loads the manifest
| |
| #Gecko checks the signature of the manifest
| |
| #If signature verifies, a privileged child process is launched
| |
| #Web page is loaded as a normal web page inside this privileged process
| |
| #Although the _process_ is privileged, permission are restricted until verification is complete
| |
| | |
| The verification process is as follows:
| |
| # After the manifest signature checks out, gecko starts downloading all files enumerated in the manifest
| |
| # Each resource has is checked against a digest from the manifest
| |
| # If the integrity check passes, the resource is cached
| |
| # Once all the resources have been cached, only then is content considered privileged and permissions available to it
| |
| | |
| To update a privileged app:
| |
| # upload new content to marketplace to generate a new manifest
| |
| # change web server files
| |
| | |
| Verification failures are generally treated as network failures. See "Error Recovery" below for the approach to dealing with loading errors and partially loaded apps.
| |
| | |
| == Security Restrictions ==
| |
| * All privileged content must be served over a secure network connection.
| |
| * No framing privileged content
| |
| * Only signed scripts may be loaded
| |
| * Resources enumerated in the manifest must have their integrity checked prior to loading
| |
| | |
| Note:
| |
| * Not all HTML must be signed. There is little value in making this a firm requirement since it isn't possible to prevent dynamic HTML changes (this risk is unchanged from previous packaged approach)
| |
| * Developers should be encouraged to sign all static resources)
| |
| | |
| == New Headers ==
| |
| Instead of being installed, FxOS app content is navigated to. A http header is use to inform gecko that a web page belongs to an app:
| |
| | |
| manifest: https://app.foo.com/app/fooapp.webmanifest
| |
| manifest-signature: https://app.foo.com/app/fooapp.sig
| |
| | |
| == App Manifest Extensions ==
| |
| Add a ''resources'' section to the app manifest which enumerates content which needs to have integrity check.
| |
| | |
| {
| |
| "name": "My App",
| |
| "scope": "/",
| |
| "start_url": "/index.html",
| |
| "permissions": [
| |
| {
| |
| "systemXHR": {
| |
| "description": "Needed to download stuff"
| |
| },
| |
| "devicestorage:pictures": {
| |
| "description": "Need to load pictures"
| |
| }
| |
| }
| |
| ],
| |
| "resources": [
| |
| {
| |
| "src": "/index.html",
| |
| "integrity": "sha256-kass...eoirW-e"
| |
| },
| |
| {
| |
| "src": "/page2.html",
| |
| "integrity": "sha256-kasguie...ngeW-e"
| |
| },
| |
| {
| |
| "src": "/script.js",
| |
| "integrity": "sha256-agjdia2...wgda"
| |
| },
| |
| {
| |
| "src": "https://libraries.com/library.js",
| |
| "integrity": "sha256-geijfi...ae3W"
| |
| }
| |
| ]
| |
| }
| |
| | |
| == Loading an app ==
| |
| When an app-manifest is encountered, while the page is loaded as normal, additional steps are initiated in parallel. Two main processes are started:
| |
| - populating cache with app enumerated resources
| |
| - verification of signed resources and granting of permissions
| |
| | |
| === Cache population ===
| |
| When gecko encounters an app manifest, resources
| |
| | |
| === Verification of resources ===
| |
| | |
| | |
| == Error Recovery ==
| |