This is a huge problem if the user is checking their GMAIL from an Internet Cafe for example.

Thanks for the comments. As I mentioned, it is very early to talk about possible problems in FF offline support, however, am I right by saying that if web applications can cache so do web malware? Also, I am interested to know how the offline state in web applications is defined. Is an application offline when there is no access to the remote server, or is it offline when the network cable is unplugged? It makes a big difference.

In simple words, attackers might be able to cache malware code and call it when it is needed. This is a problem because it removes the need for external servers to host the malicious code.

I can come up with dozens of other questions like this. We need to seriously think about the security implications involved in this feature.

This, the extend of a XSS would still be the same as today: The attacker can control gmail and the data in there, but nothing else.

For example, we won’t allow offline apps to run “in the background” any more than we allow online apps to do so. On the downside this means you must explicitly visit the application page to resync when you get back online; on the upside, malware wouldn’t be able to run invisibly.

Furthermore, the offline cache that stores offline application resources is just a cache and it’s only used when you’re offline. When you’re online the application will run using normal HTTP caching mechanisms and offline-cache resources will be revalidated against the online source. So I don’t think this opens any new avenues of attack that don’t exist with existing browser caching, unless we stuff up our implementation somehow.