Closed Bug 849548 Opened 11 years ago Closed 11 years ago

Validation of a hosted app manifest should fail if the app manifest does an off-origin redirect with any supported user agent on Marketplace

Categories

(Marketplace Graveyard :: Validation, defect)

Product:
Marketplace Graveyard
Component:
Validation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2013-07-11

People

(Reporter: jsmith, Assigned: basta)

Details

If a hosted app manifest on marketplace does an off-origin redirect, then we should fail validation, as you are not allowed to install hosted apps that have manifests that go off the origin off the app. Given that we know user agent sniffing is problem in the mobile web, we also need to be careful to do this style of check with each supported user agent that we support for installation of web apps (the mobile UAs are more critical here for checking, though). 

See bug 849510 for an example scenario of this problem where an off-origin redirect was observed with a FF Android user agent with the web app manifest, but not seen with other UAs.
Talking with Matt, trying to scrap resources under each supported UA is too resource intensive for us to support right now. However, we could change the default UA we scrap against. The best short-term solution we could do in this bug is set the default UA to do scraping with to the B2G UA, as that's the highest priority in terms of the platforms we support.

When we scrap then, let's use the B2G UA below:

Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0
closing for comment 2
Assignee: nobody → mattbasta
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2013-07-11
You need to log in before you can comment on or make changes to this bug.