Last Comment Bug 849548 - Validation of a hosted app manifest should fail if the app manifest does an off-origin redirect with any supported user agent on Marketplace
: Validation of a hosted app manifest should fail if the app manifest does an o...
Status: RESOLVED FIXED
:
Product: Marketplace
Classification: Server Software
Component: Validation (show other bugs)
: 1.0
: All All
: -- normal (vote)
: 2013-07-11
Assigned To: Matt Basta [:basta]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-09 12:35 PST by Jason Smith [:jsmith]
Modified: 2013-07-23 08:59 PDT (History)
5 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Jason Smith [:jsmith] 2013-03-09 12:35:34 PST
If a hosted app manifest on marketplace does an off-origin redirect, then we should fail validation, as you are not allowed to install hosted apps that have manifests that go off the origin off the app. Given that we know user agent sniffing is problem in the mobile web, we also need to be careful to do this style of check with each supported user agent that we support for installation of web apps (the mobile UAs are more critical here for checking, though). 

See bug 849510 for an example scenario of this problem where an off-origin redirect was observed with a FF Android user agent with the web app manifest, but not seen with other UAs.
Comment 1 Jason Smith [:jsmith] 2013-03-11 13:51:13 PDT
Talking with Matt, trying to scrap resources under each supported UA is too resource intensive for us to support right now. However, we could change the default UA we scrap against. The best short-term solution we could do in this bug is set the default UA to do scraping with to the B2G UA, as that's the highest priority in terms of the platforms we support.

When we scrap then, let's use the B2G UA below:

Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0
Comment 3 Wil Clouser [:clouserw] 2013-07-15 13:51:37 PDT
closing for comment 2

Note You need to log in before you can comment on or make changes to this bug.