WebApp as Desktop App Security Model?

Recently there has been a fair amount of talk about bringing web applications off of the web and onto your desktop, or to put it in really simple terms: providing a bare-browser that has no UI but the site you visit. It sounds good, but I’m not convinced it’s quite workable, at least at this point. A few example of these attempts are:

The first two are somewhat generic in purpose, while FullerScreen is intended more for the task of using a web page as a presentation medium. Making it a potential replacement for something like PowerPoint.

I’m not quite sure this is really a workable model for the “average user”. Take for example the following scenario:

Say you use this as a way to make your Gmail (or Yahoo) account feel more like a client-size application. You receive an email to visit a site. You click the link and visit the site. You think you are using Firefox. In reality you’re really viewing a spoofed window. Even if remote XUL is disabled you can still do a fair job with just a bunch of cut up GIF’s. Enough to fool a casual user. Firefox has some basic countermeasures to help prevent this, such as keeping some UI.

This could be prevented if a “windowless” browser always prompts or provides some other sort of notification before connecting to an unprivileged host. Or better yet: Simply launches the real browser rather than handling untrusted url’s. That would be better and less Vista-like.

So that leaves me with the question: how should such an application behave? A true desktop application typically launches the default browser on the computer. Notable exceptions being things like Real Player, Google Earth, etc who embed a browser. How do you give a desktop like feel to an application, yet still provide the UI feedback to the user that a browser’s chrome provides?

My suggestion is simply limiting by a hostname. You have a Gmail app, you trust Gmail and nobody else. In my mind an application does 1 task and does it well. If it was intended to feel like a Gmail client, then it should do that, and that only. Want to visit that website with the monkey that sniffs his own butt? Cool, but do it in your own browser.

I’d be curious what others thought of this potential problem. I think with XULRunner looking more stable, WebKit being available to Mac developers and the merging of the web and OS, things like this are a potential problem. We are getting more and more ways to embed browsers into things (widgets, extensions, etc.). This is going to be more of an issue moving forward.

This isn’t to say I don’t like the above products (I actually really like them). I just haven’t figured out exactly how they fit into the current security model of local:safe, web:devils-playground. I don’t think they do. I think they potentially break the barrier between the web and desktop applications. We’ve all been hoping would be broken. The question is: are we ready?

The higher level question is: How do you distinguish between trusted and untrusted data when it all looks like it’s local?