Last Comment Bug 724035 - find a secure way to relax the restriction on webapp launch_path GET args
: find a secure way to relax the restriction on webapp launch_path GET args
Status: RESOLVED WORKSFORME
:
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks: 746465
  Show dependency treegraph
 
Reported: 2012-02-03 10:52 PST by Bill Walker [:bwalker] [@wfwalker]
Modified: 2013-04-04 13:53 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Bill Walker [:bwalker] [@wfwalker] 2012-02-03 10:52:55 PST
at present, GET args in a launch_path are removed prior to being used to launch the App. We should explore whether it is possible to relax this restriction without introducing new security risks.

For example -- If we relax this restriction, an App developer could submit different manifests to different App stores that differ only by a GET arg; this would allow them to distinguish which App Store lead to a given installation.
Comment 1 Ian Bicking (:ianb) 2012-02-03 10:56:31 PST
I think it must be a bug that this is being removed; nothing we've ever discussed would preclude GET args.
Comment 2 Ian Bicking (:ianb) 2012-06-08 14:16:37 PDT
Tested here, and I cannot reproduce any problem with a query string: http://app1.ianbicking.org/?manifest=manifest-get.webapp

Installation works, and app.launch() starts the app with the query string.

Note You need to log in before you can comment on or make changes to this bug.