ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Webapps confinement & click package story

To: ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx, Alexandre abreu <alexandre.abreu@xxxxxxxxxxxxx>
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Tue, 10 Sep 2013 09:31:28 -0500
Cc: Chris Coulson <chris.coulson@xxxxxxxxxxxxx>
In-reply-to: <CANnJ_dCjunW2m6G0kxANj1cD-CPW4g+JKEYbZdWHQ+f_ovqRuQ@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

On 09/06/2013 10:02 AM, Alexandre Abreu wrote:
> Hi,
> 
> We are working on webapps integrations and click packaging on UbuntuTouch and
> trying to address the WebApps confinement details.
> 
> We already had a chat with Jamie about that last week to further trim down the
> whole story.
> 
> A bit of rough context before the gist of the email:
> 
> - A Webapp on Touch will be an individual click package with a desktop file, a
> set of icons, and possibly (but not strictly mandatory) a snippet of javascript
> along with a manifest file,
> 
> - The webbrowser-app will be used as a container for running the Webapp, and the
> Exec line from the desktop file for each Webapp click package will reflect that
> with something roughly like:
> 
> Exec=webbrowser-app --webapp http://ubuntu.com
> 
> (subject to change)
> 
> with various additional command line options that will be used to tweak the UI
> aspect and (restricted) navigation,
> 
> - When running in "Webapp mode", the click-desktop hook will property setup the
> Path in the desktop file and the app will be started with the local package as
> the cwd, which will then be used to locate potential snippets that need to be
> injected by the webbrowser-app (the local lookup bit needs to be added since atm
> it tries to search for snippets in /usr/share),
> 
> Now the bits that are left:
> 
> 1. how the webbrowser-app should react to that and act in a properly confined
> way for each Webapp. The idea there would be to prevent history, bookmarks,
> cookies etc. to be shared among the Webapps and obviously with the regular
> browser app.
> 
One part of this is having an apparmor template for use by webapps to confine
the webbrowser and enforce isolation between webapps for
cache/cookies/history/etc. To allow people to play around with something
apparmor-easyprof-ubuntu 1.0.23 added the ubuntu-webapp-experimental template.
Marc and I talked and we agree that this template is fine to have and so I
renamed it ubuntu-webapp in apparmor-easyprof-ubuntu 1.0.30.

Do note that there are a lot of open questions still that need to be answered
before people should start using this and we can open the floodgates in the
appstore (see Marc and my previous emails and the wiki[1]).

[1]https://wiki.ubuntu.com/SecurityTeam/Specifications/WebAppsConfinement

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

References

Webapps confinement & click package story
From: Alexandre Abreu, 2013-09-06