Right now, webxdc apps can include a “sender” in the payload if they need it, which works, but has absolutely no security of any kind. I would like to see the sender of an update included as an extra key injected by the “host” app (such as deltachat) like the sequence numbers are, instead of in the payload, to prevent trivial spoofing.
Related to this, it would be great if there was a property injected containing the address of the “initiator” of the app, eg whoever sent the original message with the app attached. This would allow for the poll app for example to only show the configuration UI to the original sender instead of to whoever happens to open it first.
So i guess it would be some “update.peer_uri” attribute, maybe. Anyone who has a hacked up version of Delta Chat could anyway get at this info, anyway, Do you have some app prototyping going on where you would need that?
Most existing apps could benefit from it. For example, with the existing poll app I can spoof a vote from anyone else in the chat by sending an update with payload.sender set to their address. Since all sender info is just in the payload there is no protection and the app has to just trust it.
FYI we do not yet engage much with the “one of the chat members and participating xdc app users is a cheater” threat model … and there are many other ways to cheat like sending a different XDCs to different people while they think it’s the same. That said, it might still make sense to add an update.peer_info attribute because it’s a convenient thing to use for an app (and as seen from my device, it’s more authentic if DC marks incoming updates with the precise peer_info from the sender of an update – this does make spoofing harder, agreed).