Mozilla Prism Not There Yet
From Mozilla's Lab blog post: "Prism is an application that lets users split web applications out of their browser and run them directly on their desktop". I was intrigued.
For a moment I thought that my days in pain are over. "Mozilla've got it right this time"! I really liked the concept. I still do. Unfortunately, when I installed the Prism environment and tried to hook some Google apps I am using all the time, I found myself in the exact same situation I was before. Essentially, Prism is nothing more but the Firefox browser with some fancier desktop shortcut features and without the normal chrome.
I really thought that Prism will allow web applications to run independently, without sharing resources such as cookies, etc. I through that by separating all applications, I care about, as independent Prism apps, I will achieve the level of security I've always needed in my day-to-day work.
The result was different though. Although Google Reader was set as a separate applications from Google GMail, once I authenticated one of them the other one also gets authenticated as well. "Disappointment"! Through, I still like the concept. It just needs a bit polishing.
Here is a list of things, which make sense in terms of security and which mozilla developers should consider implementing into Prism:
- Prism applications should be placed on their own such as cookies, persistent storage, etc are not accessible by other Prism applications which run from the same origin.
- Prism should implement logical groups which allow applications to share cookies between each other, when required. So for example, I should be able to define that the GMail application can share cookies with the Google Reader, i.e they are in the same logical group.
Keep in mind that you may still suffer from Cross-site scripting and Cross-site request forgery attacks, although the attack surface will be greatly mitigated! I hope that these kind of features are implemented into Prism soon. This will give us the ability to surf the web a little bit safer.Comments Powered ByDisqus