ubuntu-appstore-developers team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 13-09-06 11:02 AM, Alexandre Abreu wrote:
> 2. The webapp browsing experience would be strictly confined to a specific set
> of url patterns, and the functionality is already being merged in the
> webbrowser-app,

How are you planning on doing this? What happens when the facebook webapp wants
to embed a video from youtube? What happens when the user wants to click a link
that navigates out of the set of url patterns? What happens when someone clicks
the "Like on facebook" link on a page in the normal web browser?

> 
> 3. I was wondering if for those packages and given the specific nature of
> webapps and the associated security risks (spoofing, phishing etc), we would  be
> able to bypass some sort of review process that would be a bit more restricted
> than the one (if any) for other apps. At the moment, the APP_ID specific profile
> would prevent any local data capture etc.

I'm not quite sure what that means. You want to bypass the regular review
process, or you want it to be more restricted than the one for other apps? Seems
to me webapps are going to require more review than regular apps. Allowing
anyone to upload a facebook webapp that contains javascript that can steal a
user's credentials, either deliberately or inadvertently by breaking the
browser's same-origin policy would be bad. How many people are going to upload
different versions of the facebook webapp?

> 
> Jamie did put up a wiki page to capture the current decision/state of the
> discussions,
> 
> https://wiki.ubuntu.com/SecurityTeam/Specifications/WebAppsConfinement
> 

I'll add some of my points to the wiki.

Marc.