Closed Bug 1256598 Opened 6 years ago Closed 5 years ago
Access to the UI tour for addons
58 bytes, text/x-review-board-request
We'd like to be able to open a UITour style window when an add-on is installed through the discovery pane. It should look like this: https://www.dropbox.com/s/gn0uy56xwlu8lau/Screenshot%202016-03-09%2012.58.17.png?dl=0 And this looks like on that already exists in the UITour. The only problem is that its over a custom add-on icon and not on in the UI. But we'll need to be able to have permissions to do that. Currently its set to these domains I think: https://dxr.mozilla.org/mozilla-central/source/browser/app/permissions As per other parts of the discovery pane improvements, we'd need this on addons.mozilla.org and its subdomain services.addons.mozilla.org. Also a flag or permissions to allow it to be run on the test domains so QA can verify this on our dev and stage servers.
For test domains, there is already a preference called "browser.uitour.testingOrigins" that can be set to a comma-separated list of origins that get permission to use UITour, so I think this bug is a 2-liner to add addons.mozilla.org and services.mozilla.org to that permissions file. Reconciling potentially dynamic addon toolbar buttons with the static list of targets that UITour currently supports is a separate (and probably bigger) issue, I'll file a follow-up bug for that.
Review commit: https://reviewboard.mozilla.org/r/40165/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/40165/
Attachment #8730798 - Flags: review?(MattN+bmo)
Comment on attachment 8730798 [details] MozReview Request: Bug 1256598 Give AMO access to UITour r?mattn https://reviewboard.mozilla.org/r/40165/#review37681 Apologies for the delay. I've been busy fixing e10s tests and wanted to have some time to sleep on this to think about potential issues. ::: browser/app/permissions:13 (Diff revision 1) > +origin uitour 1 https://addons.mozilla.org > +origin uitour 1 https://services.addons.mozilla.org Are we actually going to be using both domains for this specific UI? I'll approve this only for the UI specified (showInfo) but if you plan to use this for other purposes (especially any API which can retrieve/store data) please keep me in the loop. I'm assuming that untrusted content (e.g. add-on developer HTML) on AMO won't have any way to run JS on those domains.
Attachment #8730798 - Flags: review?(MattN+bmo) → review+
(In reply to Matthew N. [:MattN] (behind on bugmail) from comment #3) > ::: browser/app/permissions:13 > (Diff revision 1) > > +origin uitour 1 https://addons.mozilla.org > > +origin uitour 1 https://services.addons.mozilla.org > > Are we actually going to be using both domains for this specific UI? Good question, this was derived from andym's comment here: https://bugzilla.mozilla.org/show_bug.cgi?id=1245571#c14 But perhaps Andy or Stuart can confirm. > I'll approve this only for the UI specified (showInfo) but if you plan to > use this for other purposes (especially any API which can retrieve/store > data) please keep me in the loop. There is a separate addon manager api being added concurrently, discussion about that is over on bug 1245571. > I'm assuming that untrusted content (e.g. add-on developer HTML) on AMO > won't have any way to run JS on those domains. That's certainly my understanding, but again Andy or Stuart would be more qualified to comment definitively.
As discussed in the standup we're planning to add a new domain for the new discovery pane which will probably be https://discovery.addons.mozilla.org. Certainly no dynamic user content from addons would be expected to be run there. We should also consider having a separate CDN host for statics (different to our current ones) so the CSP config for this page can be locked down as tight as possible.
Stuart, file a follow-up bug I guess when you finalize the production domains. Meanwhile you can use the browser.uitour.testingOrigins preference setting for testing.
You need to log in before you can comment on or make changes to this bug.