-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Making Web Applications secure by default #509
Comments
Related ProposalsWeb BundlesA mechanism of distribution for Web Applications as binary bundles Unlike websites, which are directly reachable via an URL into the browser, Web Applications can be distributed as binary Web Bundles that are first downloaded by the user and then launched into the browser. Script Tag extension: Per-Module Network Isolationwhatwg/html#6547 Deprecation of "cross-origin-policy" in favor of a declarative network isolation of insecure HTML tagswhatwg/html#6553 Declarative cross-origin communication in iframe and popup tags via Shared WorkerBuilding up on declarative network isolation for insecure HTML tags, we can now very easily and securely establish declarative cross-origin communication flows between a website, an iframe and a popup window, by leveraging the Shared Worker technology. |
There is some related discussion here: https://bugs.chromium.org/p/chromium/issues/detail?id=995236 |
@josephrocca, the chromium bug above expresses indeed the same concern of being able to restrict network access for the application, in the context of a PWA, in order to achieve a better security model and to protect the user, and not only the computer as is doing the browser sandbox. However, PWAs are "enhanced" websites directly served from an URL, and in order to actually load the scripts, such as: <script type="module" src="app.js"></script> the main document needs to have network access, meaning that the main document is not offline-first in a PWA, which poses a security issue. In the context of a Web Bundled Application, where all the resources already exist "client-side" at launch time, the main document does not need network access, and therefore, it can load a script such as the one above without declaring a network permission for the script tag with an |
This isn't concrete enough to evaluate. Please get back to us once there's a processing model of sorts. |
Can you please explain what do you mean by "processing model of sorts" ? |
A specification that's concrete enough so it can be implemented in a browser, such as Firefox. |
Request for Mozilla Position on an Emerging Web Specification
Other information
The web has been conceived as a way of displaying information to users, within a sandbox that is not secure by default (open to internet and to the hosting server). With the development of new technologies facilitating user inputs, the modern web made possible the conception of Web Applications into that insecure environment primarily designed for web documents but not for applications. In consequence we now need to make Web Applications secure by default by making them offline first and granting them internet access only via fine-grained and user-controlled permissions.
The text was updated successfully, but these errors were encountered: