Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 724035 - find a secure way to relax the restriction on webapp launch_path GET args
: find a secure way to relax the restriction on webapp launch_path GET args
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Andrew Overholt [:overholt]
Depends on:
Blocks: 746465
  Show dependency treegraph
Reported: 2012-02-03 10:52 PST by Bill Walker [:bwalker] [@wfwalker]
Modified: 2013-04-04 13:53 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Bill Walker [:bwalker] [@wfwalker] 2012-02-03 10:52:55 PST
at present, GET args in a launch_path are removed prior to being used to launch the App. We should explore whether it is possible to relax this restriction without introducing new security risks.

For example -- If we relax this restriction, an App developer could submit different manifests to different App stores that differ only by a GET arg; this would allow them to distinguish which App Store lead to a given installation.
Comment 1 Ian Bicking (:ianb) 2012-02-03 10:56:31 PST
I think it must be a bug that this is being removed; nothing we've ever discussed would preclude GET args.
Comment 2 Ian Bicking (:ianb) 2012-06-08 14:16:37 PDT
Tested here, and I cannot reproduce any problem with a query string:

Installation works, and app.launch() starts the app with the query string.

Note You need to log in before you can comment on or make changes to this bug.