Confirmed users
110
edits
Security/Reviews/B2G/mozapp: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 11: | Line 11: | ||
}} | }} | ||
===Technical details=== | ===Technical details=== | ||
<pre> | |||
A non-standard attribute was added to the iframe tag called | A non-standard attribute was added to the iframe tag called | ||
mozapp [1] This attribute allows a webpage to specify a manifest URL, that was previously pre-installed on the device or installed through window.navigator.mozApps.install [2]. A valid manifest meets the requirements set forth at [3] and may grant an app more privileges than a normal webpage has. | mozapp [1] This attribute allows a webpage to specify a manifest URL, that was previously pre-installed on the device or installed through window.navigator.mozApps.install [2]. A valid manifest meets the requirements set forth at [3] and may grant an app more privileges than a normal webpage has. | ||
| Line 30: | Line 30: | ||
[6] - http://hg.mozilla.org/mozilla-central/file/70cfbdceb63a/content/html/content/src/nsGenericHTMLFrameElement.cpp#l393 | [6] - http://hg.mozilla.org/mozilla-central/file/70cfbdceb63a/content/html/content/src/nsGenericHTMLFrameElement.cpp#l393 | ||
[7] - http://hg.mozilla.org/mozilla-central/file/dd2ffe93fb2f/dom/apps/src/PermissionsTable.jsm#l208 | [7] - http://hg.mozilla.org/mozilla-central/file/dd2ffe93fb2f/dom/apps/src/PermissionsTable.jsm#l208 | ||
</pre> | |||
===What does a mozapp iframe do?=== | |||
<pre> | |||
A mozapp iframe with a valid manifestURL and embeddor with proper permissions is granted the enhanced functionality of webapps. Permissions granted / denied are set when the app is installed. The biggest difference is the "origin" used when performing same origin checks. The gecko core was modified to use the concept of an extended origin defined as | |||
aExtendedOrigin = appId + "+" + { 't', 'f' } "+" + origin [1] | |||
appId: This is the appId for the supplied manifest, otherwise it is either NO_APP_ID or UNKNOWN_APP_ID [3] | |||
{'t', 'f,'}: This corresponds to whether this origin exists inside a mozBrowserFrame or not | |||
origin: This is the origin of the page / document. Note that the scheme will be app:// for packaged app resources | |||
This triple uniquely identifies the origin for cookies, session/localstorage and cross-origin checks. A mozapp iframe that is browsed to www.mozilla.org does not necessarily have the access to the cookies from a browser visiting www.mozilla.org . This can be due to the appIds being different and / or InMozBrowserFrame being different. | |||
[1] - http://hg.mozilla.org/mozilla-central/file/f83604cff118/caps/src/nsScriptSecurityManager.cpp#l2887 | |||
[2] - http://hg.mozilla.org/mozilla-central/file/f83604cff118/caps/idl/nsIScriptSecurityManager.idl#l228 | |||
</pre> | |||
http:// | |||