Closed Bug 1256598 Opened 4 years ago Closed 4 years ago

Access to the UI tour for addons.mozilla.org

Categories

(Toolkit :: Add-ons Manager, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: andy+bugzilla, Assigned: aswan)

References

Details

Attachments

(1 file)

We'd like to be able to open a UITour style window when an add-on is installed through the discovery pane. It should look like this:

https://www.dropbox.com/s/gn0uy56xwlu8lau/Screenshot%202016-03-09%2012.58.17.png?dl=0

And this looks like on that already exists in the UITour. The only problem is that its over a custom add-on icon and not on in the UI. But we'll need to be able to have permissions to do that.

Currently its set to these domains I think:

https://dxr.mozilla.org/mozilla-central/source/browser/app/permissions

As per other parts of the discovery pane improvements, we'd need this on addons.mozilla.org and its subdomain services.addons.mozilla.org. Also a flag or permissions to allow it to be run on the test domains so QA can verify this on our dev and stage servers.
For test domains, there is already a preference called "browser.uitour.testingOrigins" that can be set to a comma-separated list of origins that get permission to use UITour, so I think this bug is a 2-liner to add addons.mozilla.org and services.mozilla.org to that permissions file.
Reconciling potentially dynamic addon toolbar buttons with the static list of targets that UITour currently supports is a separate (and probably bigger) issue, I'll file a follow-up bug for that.
Comment on attachment 8730798 [details]
MozReview Request: Bug 1256598 Give AMO access to UITour r?mattn

https://reviewboard.mozilla.org/r/40165/#review37681

Apologies for the delay. I've been busy fixing e10s tests and wanted to have some time to sleep on this to think about potential issues.

::: browser/app/permissions:13
(Diff revision 1)
> +origin	uitour	1	https://addons.mozilla.org
> +origin	uitour	1	https://services.addons.mozilla.org

Are we actually going to be using both domains for this specific UI?

I'll approve this only for the UI specified (showInfo) but if you plan to use this for other purposes (especially any API which can retrieve/store data) please keep me in the loop.

I'm assuming that untrusted content (e.g. add-on developer HTML) on AMO won't have any way to run JS on those domains.
Attachment #8730798 - Flags: review?(MattN+bmo) → review+
(In reply to Matthew N. [:MattN] (behind on bugmail) from comment #3)
> ::: browser/app/permissions:13
> (Diff revision 1)
> > +origin	uitour	1	https://addons.mozilla.org
> > +origin	uitour	1	https://services.addons.mozilla.org
> 
> Are we actually going to be using both domains for this specific UI?

Good question, this was derived from andym's comment here: https://bugzilla.mozilla.org/show_bug.cgi?id=1245571#c14  But perhaps Andy or Stuart can confirm.

> I'll approve this only for the UI specified (showInfo) but if you plan to
> use this for other purposes (especially any API which can retrieve/store
> data) please keep me in the loop.

There is a separate addon manager api being added concurrently, discussion about that is over on bug 1245571.

> I'm assuming that untrusted content (e.g. add-on developer HTML) on AMO
> won't have any way to run JS on those domains.

That's certainly my understanding, but again Andy or Stuart would be more qualified to comment definitively.
Flags: needinfo?(scolville)
Flags: needinfo?(amckay)
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/e08d7dcc4a60
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
As discussed in the standup we're planning to add a new domain for the new discovery pane which will probably be https://discovery.addons.mozilla.org.

Certainly no dynamic user content from addons would be expected to be run there. We should also consider having a separate CDN host for statics (different to our current ones) so the CSP config for this page can be locked down as tight as possible.
Flags: needinfo?(scolville)
Stuart, file a follow-up bug I guess when you finalize the production domains.  Meanwhile you can use the browser.uitour.testingOrigins preference setting for testing.
Flags: needinfo?(amckay)
You need to log in before you can comment on or make changes to this bug.