Closed Bug 741490 Opened 12 years ago Closed 6 years ago

myapps.mozillalabs.com needs permission to access navigator.mozApps.mgmt

Categories

(Core Graveyard :: DOM: Apps, defect)

Product:
Core Graveyard
Component:
DOM: Apps
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox13-, firefox14-)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox13 - ---
firefox14 - ---

People

(Reporter: ianbicking, Assigned: fabrice)

References

Details

Attachments

(1 file, 1 obsolete file)

updated patch
818 bytes, patch
Gavin
: review-
Details | Diff | Splinter Review 
Right now the myapps dashboard cannot access the navigator.mozApps.mgmt functions without the user putting a setting into about:config (on B2G I believe the homepage is whitelisted for access to the mgmt functions).  We need a reasonable way for the dashboard to get access to these APIs.  This could be a doorhanger permission dialog.
Note - This is blocking the marketplace beta release.
Component: General → DOM: Mozilla Extensions
Product: Web Apps → Core
QA Contact: general → general
Whiteboard: [mozappsapi]
Whiteboard: [mozappsapi] → [mozApps API 1.0]
Whiteboard: [mozApps API 1.0] → [mozApps API 1.0] [marketplace-beta?]
Blocks: 738816
Fabrice - Could you fix this bug? Or is there somebody else you would suggest fixing this?
I can fix it if we're sure which url we want to whitelist
Bill - What URL do we want to whitelist to allow app management? I know the myapps.mozillalabs.com URL will go away soon, in which it will change over to apps.persona.org.
It will be https://apps.persona.org - can we just add both?
General question - Why is whitelisting being used in the first place? Do we really need it?
How will other marketplaces get themselves added to the whitelist ? 

-david
The whitelist is more of a short-term solution; we should also have some kind of permission dialog to accomplish the same thing.
Fabrice - Since the dashboard is hosted on myapps.mozillalabs.com right now, let's go with that for now. When the dashboard location changes, let's then file a new bug to change the whitelist to that new location (apps.persona.org). Do you agree?
Assignee: nobody → fabrice
Attached patch patch (obsolete) — Splinter Review 

        Attachment #614823 -
        Flags: review?(felipc)

    
    

    
  
We should add https://apps.persona.org – we're planning on switching to that URL in the next couple weeks, and we're certain of the URL.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        updated patchSplinter Review
      

    


  
Added https://apps.persona.org per Ian comment.

        Attachment #614823 -
        Attachment is obsolete: true

        Attachment #614823 -
        Flags: review?(felipc)

        Attachment #614826 -
        Flags: review?(felipc)

    
    

    
  
Comment on attachment 614826 [details] [diff] [review]
updated patch

as this is whitelist stuff, I prefer to let gavin do the review here

        Attachment #614826 -
        Flags: review?(felipc) → review?(gavin.sharp)

    
    

    
  
Comment on attachment 614826 [details] [diff] [review]
updated patch

The current whitelist implementation seems to have a couple of problems:
- it uses the permission manager, which only distinguishes hosts, not origins (scheme+host+port). This means that the "https" in these whitelist entries is ignored, and is potentially misleading. If these sites were to be MiTMed, someone would be able to hijack app management, right? You might as well just include "myapps.mozillalabs.com" and have the whitelist pref parsing code just stick in an "http://". This problem also affects our current XPInstall whitelists, but that seems less critical since it only affects the ability to _prompt_ for an install, rather than granting actual permissions.
- it installs the permission entries every time the component is initialized, rather than only once. This means that users can't revoke permissions for these domains. But I guess there's no UI for that anyways?

The first issue seems like something we need to address before adding any whitelist entries, unless I've misunderstood the permissions being granted here.

        Attachment #614826 -
        Flags: review?(gavin.sharp) → review-

    
    

    
  
Need to reevaluate and ask this question again - Does this bug block the marketplace beta release?

    
    

    
  
I believe it is, we don't have a usable dashboard without it, and in effect the navigator.mozApps.mgmt APIs are unusable.
Whiteboard: [mozApps API 1.0] [marketplace-beta?] → [mozApps API 1.0] [marketplace-beta]
Blocks: 746465
Whiteboard: [mozApps API 1.0] [marketplace-beta] → [marketplace-beta]
Whiteboard: [marketplace-beta] → [marketplace-beta]

    
    

    
  
This code is active in FF 13 right now since the doorhanger code has not been pulled out yet out of FF 13 (tracked in a separate bug). Until the doorhanger code is pulled, this needs to be fixed asap and uplifted.

          tracking-firefox14:
          --- → ?
Whiteboard: [marketplace-beta] → [marketplace-beta?]

    
    

    
  
No need to track for Firefox 13 since we're already tracking bug 741415.

          tracking-firefox13:
          ?-

          tracking-firefox14:
          ?+

    
    

    
  
The fallback dashboard for FF14 for the end users is My Purchases in the Marketplace, so not a blocker.
Whiteboard: [marketplace-beta?]

    
    

    
  
Does marketplace.mozilla.org need to be whitelisted as well?

    
    

    
  
Marketplace doesn't need to be on the whitelist, it only uses APIs that do not require special permissions (stores can query the apps installed by the store itself without special permissions)

    
    

    
  
After some discussion, apps.persona.org will not be hosting the interface only the polyfill.  https://persona.org will host the actual dashboard, which is what needs access to navigator.mozApps.mgmt

    
    

    
  
Is or will there be progress on this bug?  After the last patch was rejected I'm not sure we have a plan to move forward?

    
    

    
  
[Triage Comment]
Removing tracking as it seems there is not an urgent need for this in 14, please re-nominate if that changes.

          tracking-firefox14:
          +-
No longer blocks: 738816
No longer blocks: 746465
Component: DOM: Mozilla Extensions → DOM: Apps
Depends on: 745046

    
  
Product: Core → Core Graveyard

    
    

    
  
Core Graveyard / DOM: Apps is inactive. Closing all bugs in this component.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: