1168943 - Credentials not forwarded when installing hidden app

Status: RESOLVED WONTFIX

(Marketplace Graveyard :: General, defect)

Description

[(not reading bugmail) Nick Desaulniers [:\n]]

Attachment: 404 Response

Currently, we have a reviewed but unpublished app only available to the team [0].  When we call navigator.mozApps.installPackage, gecko makes an XHR under the hood.  This xhr does not have credentials attached (cookies), so the resulting request fails in a 404, which triggers a MANIFEST_URL_ERROR [1].

[0] https://marketplace.firefox.com/app/saint-seiya-cosmo-cards/
[1] https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#2333

Comment 1

[(not reading bugmail) Nick Desaulniers [:\n]]

I believe this has to do with separate JS contexts.  Cookies added in the content process don't carry over to the chrome process that's performing the installation/xhr.

Comment 2

[(not reading bugmail) Nick Desaulniers [:\n]]

This is while I'm set to a be a viewer.  This leads me to believe that the "Only team members with the following URL can view and install this app:" feature is broken for all packaged apps.  Does marketplace have tests that confirm or deny?

The mini manifest can't be hidden; the code in gecko was not designed to forward credentials when requesting the mini manifest.  It can probably be fixed, but then the code is 18 weeks out from release.

Comment 3

[(not reading bugmail) Nick Desaulniers [:\n]]

Fabrice mentions that we try to build up a credentialed XHR based on the content documents cookies, it's possible that this code is failing?

Comment 4

[Allen Short [:ashort]]

Seems like the only way to deal with this is to put the manifest at a separate unguessable URL for unpublished apps and don't use auth.