Closed
Bug 793747
Opened 12 years ago
Closed 11 years ago
When installing an app, show the origin of the app in the confirmation prompt
Categories
(Firefox for Android Graveyard :: Web Apps (PWAs), defect, P1)
Tracking
(firefox23 verified, fennec+)
VERIFIED
FIXED
Firefox 23
People
(Reporter: jsmith, Assigned: mhaigh)
References
Details
(Keywords: sec-want, Whiteboard: [blocking-webrtandroid1-] A4A [packagedapps])
Attachments
(2 files)
|
1.36 KB,
patch
|
mfinkle
:
review+
|
Details | Diff | Splinter Review |
|
146.07 KB,
image/png
|
Details |
Screenshot showing install prompt with domain URL
Right now when you try to install a web application, we just show up a simple pop-up to confirm installing the application. For security reasons, we should provide a bit more context of where the app is being installed from (i.e. the origin), as that establishes more trust to the user that they know what they are installing. We have implemented this support for desktop and ff os, so we might want to do the same for Android.
|
Reporter | |
Updated•12 years ago
|
Priority: -- → P1
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [blocking-webrtandroid1-]
|
|
Reporter | |
Comment 1•12 years ago
|
||
Might be worth tracking - the origin is important to show when installing an app as it gives the user context to where the app is being installed from. It also establishes parity with desktop and b2g.
tracking-fennec: --- → ?
|
||
Updated•12 years ago
|
tracking-fennec: ? → +
|
|
Reporter | |
Comment 2•11 years ago
|
||
Per talking in the sec-review for b2g app updates, the b2g equivalent was claimed to be a sec-want, especially for packaged app installs. I'm adding the keyword here for the same reason. And also noming for tracking given that security wants this as a safety measure.
Keywords: sec-want
Whiteboard: [blocking-webrtandroid1-] → [blocking-webrtandroid1-] A4A?
|
|
Reporter | |
Comment 3•11 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #2) > Per talking in the sec-review for b2g app updates, the b2g equivalent was > claimed to be a sec-want, especially for packaged app installs. I'm adding > the keyword here for the same reason. And also noming for tracking given > that security wants this as a safety measure. See bug 827562 for context.
|
|
||
Updated•11 years ago
|
Whiteboard: [blocking-webrtandroid1-] A4A? → [blocking-webrtandroid1-] A4A
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → mhaigh
|
||
Comment 4•11 years ago
|
||
Triage comment: this is for hosted apps to start with.
|
|
||
Comment 5•11 years ago
|
||
Traige comment redux: we should likely have the same behavior for hosted and for packaged, the difference should be transparent to the user.
|
|
Reporter | |
Comment 6•11 years ago
|
||
(In reply to Erin Lancaster [:elancaster] from comment #5) > Traige comment redux: we should likely have the same behavior for hosted and > for packaged, the difference should be transparent to the user. No, this is definitely what you should not do with packaged apps. A packaged app has no concept of an app origin - it derives itself from an app:// URL. In the case of a packaged app, you should indicate the trusted store that the app is being installed from.
|
|
Assignee | |
Comment 7•11 years ago
|
||
Added app origin to install dialog
Attachment #735316 -
Flags: review?(mark.finkle)
|
|
Reporter | |
Comment 8•11 years ago
|
||
Comment on attachment 735316 [details] [diff] [review] Adding app origin to install dialog Review of attachment 735316 [details] [diff] [review]: ----------------------------------------------------------------- ::: mobile/android/chrome/content/browser.js @@ +6023,5 @@ > let manifest = new ManifestHelper(jsonManifest, aData.app.origin); > let name = manifest.name ? manifest.name : manifest.fullLaunchPath(); > let showPrompt = true; > > + if (!showPrompt || Services.prompt.confirm(null, Strings.browser.GetStringFromName("webapps.installTitle"), name + "\n" + aData.app.origin)) { A packaged app doesn't have a concept of an origin. So what happens here if I try install a packaged app? What do I end up seeing in the install prompt?
|
|
Assignee | |
Comment 9•11 years ago
|
||
A packaged app will show the base URL of the domain from which the app is being installed.
|
|
Reporter | |
Comment 10•11 years ago
|
||
(In reply to Martyn Haigh (:mhaigh) from comment #9) > Created attachment 735336 [details] > Screenshot showing install prompt with domain URL > > A packaged app will show the base URL of the domain from which the app is > being installed. Ah okay. Looks good then for the packaged app side. Thanks for checking.
|
|
||
Comment 11•11 years ago
|
||
Comment on attachment 735316 [details] [diff] [review] Adding app origin to install dialog Looks good.
Attachment #735316 -
Flags: review?(mark.finkle) → review+
|
|
||
Updated•11 years ago
|
Whiteboard: [blocking-webrtandroid1-] A4A → [blocking-webrtandroid1-] A4A [packagedapps]
|
|
Assignee | |
Comment 12•11 years ago
|
||
checkin-needed
|
|
Assignee | |
Updated•11 years ago
|
Keywords: checkin-needed
|
||
Comment 13•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/783f66376d65
Keywords: checkin-needed
|
|
||
Comment 14•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/783f66376d65
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 23
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
status-firefox23:
--- → verified
|
||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•