The default bug view has changed. See this FAQ.

When installing an app, show the origin of the app in the confirmation prompt

VERIFIED FIXED in Firefox 23

Status

()

Firefox for Android
Web Apps
P1
normal
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: jsmith, Assigned: mhaigh)

Tracking

({sec-want})

18 Branch
Firefox 23
ARM
Android
sec-want
Points:
---

Firefox Tracking Flags

(firefox23 verified, fennec+)

Details

(Whiteboard: [blocking-webrtandroid1-] A4A [packagedapps])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Right now when you try to install a web application, we just show up a simple pop-up to confirm installing the application. For security reasons, we should provide a bit more context of where the app is being installed from (i.e. the origin), as that establishes more trust to the user that they know what they are installing. We have implemented this support for desktop and ff os, so we might want to do the same for Android.
(Reporter)

Updated

5 years ago
Priority: -- → P1
(Reporter)

Updated

5 years ago
Whiteboard: [blocking-webrtandroid1-]
(Reporter)

Comment 1

4 years ago
Might be worth tracking - the origin is important to show when installing an app as it gives the user context to where the app is being installed from. It also establishes parity with desktop and b2g.
tracking-fennec: --- → ?
tracking-fennec: ? → +
(Reporter)

Comment 2

4 years ago
Per talking in the sec-review for b2g app updates, the b2g equivalent was claimed to be a sec-want, especially for packaged app installs. I'm adding the keyword here for the same reason. And also noming for tracking given that security wants this as a safety measure.
Keywords: sec-want
Whiteboard: [blocking-webrtandroid1-] → [blocking-webrtandroid1-] A4A?
(Reporter)

Comment 3

4 years ago
(In reply to Jason Smith [:jsmith] from comment #2)
> Per talking in the sec-review for b2g app updates, the b2g equivalent was
> claimed to be a sec-want, especially for packaged app installs. I'm adding
> the keyword here for the same reason. And also noming for tracking given
> that security wants this as a safety measure.

See bug 827562 for context.
Whiteboard: [blocking-webrtandroid1-] A4A? → [blocking-webrtandroid1-] A4A
(Assignee)

Updated

4 years ago
Assignee: nobody → mhaigh
Triage comment: this is for hosted apps to start with.
Traige comment redux: we should likely have the same behavior for hosted and for packaged, the difference should be transparent to the user.
(Reporter)

Comment 6

4 years ago
(In reply to Erin Lancaster [:elancaster] from comment #5)
> Traige comment redux: we should likely have the same behavior for hosted and
> for packaged, the difference should be transparent to the user.

No, this is definitely what you should not do with packaged apps. A packaged app has no concept of an app origin - it derives itself from an app:// URL. In the case of a packaged app, you should indicate the trusted store that the app is being installed from.
(Assignee)

Updated

4 years ago
Depends on: 813736
(Assignee)

Comment 7

4 years ago
Created attachment 735316 [details] [diff] [review]
Adding app origin to install dialog

Added app origin to install dialog
Attachment #735316 - Flags: review?(mark.finkle)
(Reporter)

Comment 8

4 years ago
Comment on attachment 735316 [details] [diff] [review]
Adding app origin to install dialog

Review of attachment 735316 [details] [diff] [review]:
-----------------------------------------------------------------

::: mobile/android/chrome/content/browser.js
@@ +6023,5 @@
>      let manifest = new ManifestHelper(jsonManifest, aData.app.origin);
>      let name = manifest.name ? manifest.name : manifest.fullLaunchPath();
>      let showPrompt = true;
>  
> +    if (!showPrompt || Services.prompt.confirm(null, Strings.browser.GetStringFromName("webapps.installTitle"), name + "\n" + aData.app.origin)) {

A packaged app doesn't have a concept of an origin. So what happens here if I try install a packaged app? What do I end up seeing in the install prompt?
(Assignee)

Comment 9

4 years ago
Created attachment 735336 [details]
Screenshot showing install prompt with domain URL

A packaged app will show the base URL of the domain from which the app is being installed.
(Reporter)

Comment 10

4 years ago
(In reply to Martyn Haigh (:mhaigh) from comment #9)
> Created attachment 735336 [details]
> Screenshot showing install prompt with domain URL
> 
> A packaged app will show the base URL of the domain from which the app is
> being installed.

Ah okay. Looks good then for the packaged app side. Thanks for checking.
Comment on attachment 735316 [details] [diff] [review]
Adding app origin to install dialog

Looks good.
Attachment #735316 - Flags: review?(mark.finkle) → review+

Updated

4 years ago
Whiteboard: [blocking-webrtandroid1-] A4A → [blocking-webrtandroid1-] A4A [packagedapps]
(Assignee)

Comment 12

4 years ago
checkin-needed
(Assignee)

Updated

4 years ago
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/783f66376d65
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/783f66376d65
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 23

Updated

4 years ago
Status: RESOLVED → VERIFIED
status-firefox23: --- → verified
You need to log in before you can comment on or make changes to this bug.