Enable a packaged app to be same-origin with a website

[sicking]

It's very inconvenient for developers any time cross-origin communication is involved. For example all XHR loads require the server to support CORS, and you can't access the DOM or JS functions inside an <iframe> which contains a cross-origin webpage.

Right now a packaged app is cross-origin to all http:// loaded pages. That means that the developer is exposed to all the cross-origin restrictions even when talking to their own website.

We should make it possible for a app package to choose a particular http:// origin that they are same-origin with. However, we have a number of problems to overcome:

• App packages don't always come from trusted sources. So we can't simply stick a "origin" property in the manifest and take it at face value.
• For privileged apps, we can't let script from the website be able to get access to the APIs that are granted to the privileged app.
• We might want to be able to "side load" app packages through people sharing apps using bluetooth or usb. At least for apps that are willing to be sharable this way.
• This should work even in situations when the user installs the app through a store and not through the developer website. This might not mean that the app package file is downloaded from the store webserver though.