Apps/Security/StandardWebSecurity

From MozillaWiki
< Apps‎ | Security
Jump to: navigation, search

Standard web security

Standard web security has a key role to play in B2G. This section defines and delineates the scope of where standard web security (typically involving XSS) is appropriately deployed and used within B2G and B2G applications.

Scope

B2G still needs to display ordinary web pages and media. These should be treated no differently from how they are treated in a normal web browser. However, there is some debate as to whether such ordinary web pages should be allowed to an exceptionally limited subset of B2G's WebAPIs, and there is concern about the ease with which apps may implement phishing attacks

Requirements

  • A standard web page must not have access to any non-standard W3C HTML5 functions, of any kind. (should they have access to some of the "safer" B2G WebAPIs?)
  • The security model for "standard web pages" in B2G must be no different from the standard security model for standard web pages in any normal web browser (including XSS).
  • A standard web page MUST NOT be permitted to operate full-screen, in order to prevent phishing attacks.

Proposals

TBD