Closed Bug 778214 Opened 13 years ago Closed 13 years ago

Remove content-type restriction on manifests

Categories

(Marketplace Graveyard :: Developer Pages, defect)

Product:
Marketplace Graveyard
Component:
Developer Pages
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX
Milestone:
2012-10-18

People

(Reporter: eviljeff, Unassigned)

Details

Firefox itself doesn't enforce the restriction that manifests be served with the content type application/x-web-app-manifest+json so why should Marketplace? Lets remove it!
My impression was that the apps team felt that this was a security mechanism. It stops people using other peoples manifests. Personally I've never agreed with that and think we need a stronger mechanism. But that's the reason it's there.
I'm not really sure how its a security measure unless we only want to stop people who can't setup a server. Or why we'd even care particularly if someone used someone else's manifest (use it for what without the content?). Besides, if the apps team are so insistent then they should get it implemented in Firefox instead :P
Rovio will care when I take Angry Birds, stick it on the marketplace and sell it for $10 a shot. Even better they can't upload it themselves because we block multiple apps from the same domain. If I was smart I would just spider sites finding manifests and just upload them to the marketplace, making money, blocking the authors from using them... I'm not saying the solution was correct, just the intention.
That's a valid concern but requiring the correct content type only stops the scenario where there is a manifest on their server, with the correct "installs_allowed_from" and all the other required fields but for some reason isn't served with application/x-web-app-manifest+json. If Rovio are going around leaving a manifest like that on their server then its their fault and they should either remove the manifest or set installs_allowed_from.
It doesn't do much for security but if we're going to ignore it we should just get the spec changed.
Assignee: nobody → cvan
Target Milestone: --- → 2012-08-23
https://github.com/mozilla/zamboni/commit/35ce8e5
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Summary: Remove content type restriction on manifests → Remove content-type restriction on manifests
Keywords: dev-doc-needed
I checked with http://playbiolab.com/manifest.webapp http://gauth.gbraad.nl/manifest.webapp http://warzone-tower-defense-extended.brasukagames.com.br/warzone-tower-defense-extended/warzone-tower-defense-extended.webapp http://greattuneplayer.jit.su/manifest.webapp All these apps were flagged to the re-review queue because of content type and now pass validation without any issues.
Status: RESOLVED → VERIFIED
The Content-Type requirement is in place to prevent sites that allows user-hosted content from being able to masquerade as apps for the whole domain. Consider for instance, a manifest uploaded to Dropbox or Google Docs accessible from a public URL. The ability to specify the Content-Type header is the only way in which we can prove that the person submitting the URL of the manifest also "owns" the domain. I strongly urge you to backout this change. The spec still requires the Content-Type header to be served, and if we are to remove it, we'll need a compelling reason and prior discussion on the mailing list. You're right that Firefox isn't checking the header, but that's a bug, and we should fix it :)
As a gentle reminder, in the future, it would be better to discuss sweeping architectural changes like this on dev.webapps prior to actually implementing them!
(In reply to Anant Narayanan [:anant] from comment #8) > You're right that Firefox isn't checking the header, but that's a bug, and > we should fix it :) That where the spec needs to be enforced - in Firefox. That way it could cover installs from websites and rival App stores. (In reply to Anant Narayanan [:anant] from comment #9) > As a gentle reminder, in the future, it would be better to discuss sweeping > architectural changes like this on dev.webapps prior to actually > implementing them! Its hardly a sweeping architectural change - its one validator check being removed. It can easily be put back in when its needed, i.e. when Firefox enforces the requirement.
Anant is right, we should back this out. It's misleading to developers if we let them upload a manifest without the right headers only for them to discover their app is not installable (once the Firefox bug is fixed). If we get consensus from the community to remove the header restriction across the whole apps platform then we could reapply the patch.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
(In reply to Andrew Williamson [:eviljeff] from comment #10) > (In reply to Anant Narayanan [:anant] from comment #9) > > As a gentle reminder, in the future, it would be better to discuss sweeping > > architectural changes like this on dev.webapps prior to actually > > implementing them! > > Its hardly a sweeping architectural change - its one validator check being > removed. It can easily be put back in when its needed, i.e. when Firefox > enforces the requirement. Sorry, I misunderstood this as a proposal to remove the requirement entirely, but it is now clear to me that it's more about keeping the Marketplace validator consistent with what Firefox does. I think that's a great goal in general, but we should be moving towards more compliance, not less, which in this case means adding the check in Firefox instead of removing it from the Marketplace. Bug 741526 was a filed a while ago, but has somehow slipped through the cracks. I'll see if we can get it back on track. Bug 712045 discusses the possibility of removing this requirement safely, but until that bug has been resolved, we should enforce this requirement both at the Marketplace and Firefox.
Target Milestone: 2012-08-23 → 2012-09-06
Sure thing. Reverted: https://github.com/mozilla/zamboni/commit/17bc34e
Assignee: cvan → nobody
Target Milestone: 2012-09-06 → ---
If the spec is ever changed, this bug should be reopened.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → WONTFIX
Target Milestone: --- → 2012-10-18
To confirm: the content-type is not enforced my the marketplace AND Firefox to be application/x-web-app-manifest+json ? I know the validator checks for this, but my manifest was originally published before this time and now seems the be having issues during deployment from the marketplace: http://gauth.apps.gbraad.nl/manifest.webapp I have changed my mimetypes, but my CDN seems to be hijacking the type and forces the old format (excluding the x-).
(In reply to Gerard Braad from comment #15) > To confirm: the content-type is not enforced my the marketplace AND Firefox > to be application/x-web-app-manifest+json ? No, the opposite. The content-type IS enforced by Marketplace and Firefox. > I know the validator checks for > this, but my manifest was originally published before this time and now > seems the be having issues during deployment from the marketplace: > http://gauth.apps.gbraad.nl/manifest.webapp I have changed my mimetypes, but > my CDN seems to be hijacking the type and forces the old format (excluding > the x-). It may have originally been published before that time but we went through and removed all non-compliant manifests from Marketplace about 18 months ago ago, after Firefox started enforcing it.
You need to log in before you can comment on or make changes to this bug.