Closed Bug 724035 Opened 12 years ago Closed 12 years ago

find a secure way to relax the restriction on webapp launch_path GET args

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bwalker, Unassigned)

References

Details

at present, GET args in a launch_path are removed prior to being used to launch the App. We should explore whether it is possible to relax this restriction without introducing new security risks.

For example -- If we relax this restriction, an App developer could submit different manifests to different App stores that differ only by a GET arg; this would allow them to distinguish which App Store lead to a given installation.
I think it must be a bug that this is being removed; nothing we've ever discussed would preclude GET args.
Component: General → DOM: Mozilla Extensions
OS: Mac OS X → All
Product: Web Apps → Core
QA Contact: general → general
Hardware: x86 → All
Whiteboard: [mozappapi]
Blocks: 746465
Whiteboard: [mozappapi]
Tested here, and I cannot reproduce any problem with a query string: http://app1.ianbicking.org/?manifest=manifest-get.webapp

Installation works, and app.launch() starts the app with the query string.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.