Closed Bug 747252 Opened 12 years ago Closed 12 years ago

[Marketplace] Require 'installs_allowed_from' of uploaded manifests to match SITE_URL

Categories

(Marketplace Graveyard :: Validation, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX
2012-05-17

People

(Reporter: vince.librandi, Unassigned)

References

()

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:14.0) Gecko/20120418 Firefox/14.0a1
Build ID: 20120418052015

Steps to reproduce:

After clicking the install button for the SeeVan's Underworld Adventure App 


Actual results:

A dialog appears with the the following error message:

App installation not allowed.

Also no method is displayed to exit the error dialog without closing the page.


Expected results:

App should have installed
Status: NEW → RESOLVED
Closed: 12 years ago
Component: General → Public Pages
Product: Web Apps → addons.mozilla.org
QA Contact: general → web-ui
Resolution: --- → DUPLICATE
When an error appears in a lightbox like this that's an error from.

"App install not allowed" is an error from `navigator.mozApps.install` for the 'DENIED' error code. (https://github.com/mozilla/zamboni/blob/master/media/js/mkt/buttons.js)

Presumably, the 'DENIED' code is due to incorrect values set for `installs_allowed_from`. I'm not sure - can someone chime in?

The manifest URL: http://dekkostudios.com/private/steamcube.webapp
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(In reply to Chris Van Wiemeersch [:cvan] from comment #2)
> When an error appears in a lightbox like this that's an error from.
> 
> "App install not allowed" is an error from `navigator.mozApps.install` for
> the 'DENIED' error code.
> (https://github.com/mozilla/zamboni/blob/master/media/js/mkt/buttons.js)
> 
> Presumably, the 'DENIED' code is due to incorrect values set for
> `installs_allowed_from`. I'm not sure - can someone chime in?

"installs_allowed_from": ["*"] <--- this is what set in this manifest. Weird, cause that says app installs are allowed anywhere.

> 
> The manifest URL: http://dekkostudios.com/private/steamcube.webapp

David Clarke or Ian Bicking - Any ideas?
Note - This could a problem either with native install or the mozapps API. We need to narrow down the problem.
I cannot reproduce on Nightly or HTML polyfill.  Perhaps this is the installation confirmation error we've been seeing on Windows: Bug 746629 ?
Also, saw this happen with Boston Globe on win 7 64-bit.
This happens on a mac as well
Not getting a reproduction of this issue with the app specified in the URL, but comment 6 is still valid on the current nightly build.
Tested on FF 12 and Chrome. I don't see the error occur, but I see bug 747010 occur instead.
Re-tested Boston Globe on Nightly as well. Still seeing the error come up (looks like you can't dismiss dialog when the error appears, is there a bug tracking this issue?). Don't see anything in the error console either.
Built a test page to test this referencing the manifest directly. I also cannot install Boston Globe with the test page. Confirmed this isn't a marketplace issue.
Component: Public Pages → Web Apps
Product: addons.mozilla.org → Firefox
QA Contact: web-ui → webapps
Version: unspecified → 14 Branch
Note - We should check the MIME type of the webapp manifest Boston Globe is serving.
Boston Globe also does not work in FF 12 with the webapps HTML implementation. I don't think this a problem in native installation. Sounds like an issue (either on the developer's side or ours) involving the mozapps API.
Keywords: qawanted
Component: Web Apps → General
Product: Firefox → Web Apps
QA Contact: webapps → general
Version: 14 Branch → unspecified
Moved to web apps general, until we figure out where the root cause of the problem is within the mozapps API.
Whiteboard: [topapps]
(In reply to Jason Smith from comment #12)
> Note - We should check the MIME type of the webapp manifest Boston Globe is
> serving.

%% curl -I http://www.bostonglobe.com/mozilla-webapp/bostonglobe_manifest.webapp
HTTP/1.1 200 OK
Date: Sun, 22 Apr 2012 17:51:21 GMT
Last-Modified: Fri, 13 Apr 2012 02:32:11 GMT
ETag: "10b2bda4d-2ea-4bd8647a05e9f"
Accept-Ranges: bytes
Content-Length: 746
Cache-Control: max-age=3600
Expires: Sun, 22 Apr 2012 18:51:21 GMT
Served-By: auberon
Content-Type: application/x-web-app-manifest+json
Connection: close
Server: BostonGlobe.com Frontend
I figured out the problem:

  "installs_allowed_from": [
    "https://marketplace.mozilla.org",
    "http://www.bostonglobe.com/",
    "https://www.bostonglobe.com/",
    "http://bostonglobe.com/",
    "https://bostonglobe.com/",
    "http://c.o0bg.com/"
  ],

This does not list marketplace dev as an appropriate server to install applications from. My local copy also was not listed as a place you could install apps from.
Keywords: qawanted
Checking the marketplace dev validator, it looks like that manifest was allowed to be submitted (http://www.bostonglobe.com/mozilla-webapp/bostonglobe_manifest.webapp), even though marketplace dev is a server not allowed for app installations.
(In reply to Jason Smith from comment #17)
> Checking the marketplace dev validator, it looks like that manifest was
> allowed to be submitted
> (http://www.bostonglobe.com/mozilla-webapp/bostonglobe_manifest.webapp),
> even though marketplace dev is a server not allowed for app installations.

Ah, so the marketplace validator only checks for marketplace.mozilla.org to exist (which it does exist in the boston globe manifest), but this also occurs on marketplace dev (marketplace dev checks that marketplace.mozilla.org exists, even though this is not correct). Sounds like a configuration problem on the marketplace dev deployment side for the validator. Also, sounds like a problem with error messages (we should be getting something to the JS error console when this occurs, but nothing happened).

Someone from Marketplace - How would you like to resolve this issue, given that i think it's marketplace dev specific (the validator checks the incorrect URL for marketplace dev, but this won't happen on production)

Someone from mozapps API - Should we open a bug to track improving error messages for this issue? Thoughts?
(In reply to Jason Smith from comment #18)
> Someone from Marketplace - How would you like to resolve this issue, given
> that i think it's marketplace dev specific (the validator checks the
> incorrect URL for marketplace dev, but this won't happen on production)

I've opened up a pull request for this: https://github.com/mozilla/amo-validator/pull/141

We should be checking that 'https://marketplace-dev.allizom.org' or '*' are values in `installs_allowed_from` if we're on -dev. And similarly for staging and production.
Jorge: Can you give an opinion on this?
(In reply to Chris Van Wiemeersch [:cvan] from comment #19)
> We should be checking that 'https://marketplace-dev.allizom.org' or '*' are
> values in `installs_allowed_from` if we're on -dev.

That sounds good to me.

> And similarly for staging and production.

If that means "We should be checking that 'https://marketplace.mozilla.org' or '*' are values in `installs_allowed_from` if we're on prod", then I agree.

FYI, Andrew is working on the review policies for apps, so I'm adding him on the loop.
See Also: → 744867
I've seen this error present with apps in production that specify ["*"] as allowed.
(In reply to Justin Scott [:fligtar] from comment #22)
> I've seen this error present with apps in production that specify ["*"] as
> allowed.

Could you point out which apps have this problem?
(In reply to Justin Scott [:fligtar] from comment #24)
> Please try it with this manifest:
> http://app-6-mwa-vc-as-en.jocly.com/jocly.webapp

Tested that with my local app install page. I was successfully able to install the app in Nightly on Win 7 64-bit.
Does this bug need to remain open at this point, given that we know the problem was on marketplace dev configuration (it allows apps that do not have marketplace dev configured)? Other issues could be marked in different bugs (trying to narrow down this bug scope to the root cause). Thoughts?
It sounds like we should leave this open but make it a Marketplace bug, since we need a bug to track resolution of the problem in the Marketplace code.
Component: General → Public Pages
Product: Web Apps → addons.mozilla.org
QA Contact: general → web-ui
Target Milestone: --- → 6.5.2
Assignee: nobody → cvan
Summary: When installing a Web App from the market place: App Installation not allowed → [Marketplace] Require 'installs_allowed_from' of uploaded manifests to match SITE_URL
This should be behind a waffle switch.
Whiteboard: [topapps]
Target Milestone: 6.5.2 → 6.5.4
Assignee: cvan → nobody
Component: Public Pages → Validation
Product: addons.mozilla.org → Marketplace
QA Contact: web-ui → validation
Target Milestone: 2012-05-10 → 2012-05-17
Version: unspecified → 1.0
I've filed bug 755495 with the next steps for adjusting the validator.  This bug has changed focus and there's no need to complicate the change with 28 other comments.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.