Add support for multiple apps per origin in marketplace

RESOLVED FIXED

Status

Marketplace
General
P5
enhancement
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: jsmith, Unassigned)

Tracking

Points:
---

Details

(Whiteboard: [blocked on decision])

(Reporter)

Description

6 years ago
In bug 775847, the proposal has been put out to add support for installling of multiple apps off of the same origin in the DOM registry for the mozapps API. This bug aims to provide the implementation to support installing of multiple apps off of the same origin in the marketplace implementation. Steps to figure this out include:

- Identify any implementation areas that assume the one app per origin rule
- Identifying any UI exposure areas that establish a mentality for one app per origin that may need to be changed
- Implementing those said pieces needed to allow for multiple apps per origin
(Reporter)

Updated

6 years ago
Depends on: 775847, 778277, 778279
CCing some folks for comment.  Are there any areas here that we'd need to change in the marketplace?

Comment 2

6 years ago
All of the code for one-app-per-domain is behind the "webapps-unique-by-domain" waffle. Simply turning that switch off will disable the policy, and subsequently grepping for that string and removing all of the code behind the switches will remove it entirely.

Comment 3

6 years ago
The single app per domain was given to me as another security measure. Does relaxing this mean that we have to implement anything else?
Raymond:  Is there anything else we need to consider here?
Flags: needinfo?(rforbes)
This feature was deprioritized and is not on our current roadmap for V1 FFOS or Marketplace Q4. Who put out the proposal Jason is refers to?

Has product management provided user stories and a prioritization into our Q4 workload?
(Reporter)

Comment 6

6 years ago
(In reply to Caitlin Galimidi from comment #5)
> This feature was deprioritized and is not on our current roadmap for V1 FFOS
> or Marketplace Q4. Who put out the proposal Jason is refers to?

Oh, that's the proposal that started the whole conversation for multiple apps per origin by Mounir before the apps work week even happened. To my understanding, I haven't heard any new proposals though.

I agree we should be keeping this feature low priority on the radar, as there's a lot of other more important things to focus on right now.
Severity: normal → enhancement
Priority: -- → P5
Whiteboard: [blocked on decision]
This is indeed probably not important for v1 but I think it would be a very bad decision to consider this cosmetic and optional. If you are an independent developer and want to push more than one app to Mozilla^WFirefox Marketplace, you will have to create sub-domains for each of the apps. This is an overhead. Not the end of the world but we should make creating app as easy as possible and that kind of completely artificial and not justified overhead should be avoided as long as we can.

Please, consider putting this on your Q1 roadmap.
(In reply to Mounir Lamouri (:mounir) from comment #7)
> This is indeed probably not important for v1 but I think it would be a very
> bad decision to consider this cosmetic and optional. If you are an
> independent developer and want to push more than one app to Mozilla^WFirefox
> Marketplace, you will have to create sub-domains for each of the apps. This
> is an overhead. Not the end of the world but we should make creating app as
> easy as possible and that kind of completely artificial and not justified
> overhead should be avoided as long as we can.
> 
> Please, consider putting this on your Q1 roadmap.

This bug is just the Marketplace implementation (which, from the other comments, might be just as trivial as switching a waffle flag).  Its blocked on platform bugs so that's where the decision and work needs to be really.
(In reply to Mounir Lamouri (:mounir) from comment #7)
> This is indeed probably not important for v1 but I think it would be a very
> bad decision to consider this cosmetic and optional. If you are an
> independent developer and want to push more than one app to Mozilla^WFirefox
> Marketplace, you will have to create sub-domains for each of the apps. This
> is an overhead. Not the end of the world but we should make creating app as
> easy as possible and that kind of completely artificial and not justified
> overhead should be avoided as long as we can.

Mounir,

As you can see over in the bug 775847 conversation, this topic has big implications for the entire ecosystem, client and server code alike. That's why I lobbied not to include it in the first b2g release.

Thinking about subsequent versions of the ecosystem, I'm more worried than ever. I know the following argument isn't fully baked, but here's what I'm worried about:

Even if we did let developers publish multiple Apps per domain, those Apps are completely isolated from one another -- won't developers be frustrated when those Apps can't share cookies at all?

I presume we fix that through some sharing of cookies across Apps. And once we do that, I predict the classic notion of isolating web content by domains will be as important as it has always been.

Hoping this makes sense,
-Bill
(In reply to Bill Walker [:bwalker] [@wfwalker] from comment #9)
> As you can see over in the bug 775847 conversation, this topic has big
> implications for the entire ecosystem, client and server code alike. That's
> why I lobbied not to include it in the first b2g release.

I'm not sure I see what are the exact implications this has. Except work to do on the Mozilla side.

> Even if we did let developers publish multiple Apps per domain, those Apps
> are completely isolated from one another -- won't developers be frustrated
> when those Apps can't share cookies at all?

I don't know much about cookies but I would say developers can set cookies for the domain which means this is already something they might try to do but will not be able to.
Anyway, that's not a good reason to not remove this one-app-per-origin restriction. The fact that there are isolation in app is something developers will have to accept. It will apply for everything (permissions, IndexedDB, localstorage, appcache, cookies).
Also, I think it is better to frustrate developers because they can't do stuff for security reasons than frustrating them because we have added arbitrary restrictions.

> I presume we fix that through some sharing of cookies across Apps. And once
> we do that, I predict the classic notion of isolating web content by domains
> will be as important as it has always been.

To allow sharing cookies across apps, one will have to come with very strong use cases because as I see it, it will make user tracking way more easier and we don't want that...
(Reporter)

Updated

5 years ago
No longer depends on: 775847, 778279
(Reporter)

Updated

5 years ago
Blocks: 778277
No longer depends on: 778277
(Reporter)

Updated

5 years ago
No longer blocks: 778277
Depends on: 778277

Comment 11

5 years ago
Closing this as FIXED since we support multiple apps per origin. The platform doesn't support it, but we're ready whenever it is (the restrictions can be turned off by disabling a waffle flag).

Please file a new bug when the platform is ready for us to disable our OAPO restrictions and test the platform's support.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(rforbes)
Resolution: --- → FIXED
Will Marketplace need an alternative check to ensure the exact same manifest url isn't submitted more than once?
Flags: needinfo?(mattbasta)

Comment 13

5 years ago
There's code that checks for duplicates, I'm not sure where or how it's used though:

https://github.com/mozilla/zamboni/blob/master/mkt/developers/forms.py#L165

cvan would know better than I do.
Flags: needinfo?(mattbasta)
You need to log in before you can comment on or make changes to this bug.