If a hosted app manifest on marketplace does an off-origin redirect, then we should fail validation, as you are not allowed to install hosted apps that have manifests that go off the origin off the app. Given that we know user agent sniffing is problem in the mobile web, we also need to be careful to do this style of check with each supported user agent that we support for installation of web apps (the mobile UAs are more critical here for checking, though). See bug 849510 for an example scenario of this problem where an off-origin redirect was observed with a FF Android user agent with the web app manifest, but not seen with other UAs.
Talking with Matt, trying to scrap resources under each supported UA is too resource intensive for us to support right now. However, we could change the default UA we scrap against. The best short-term solution we could do in this bug is set the default UA to do scraping with to the B2G UA, as that's the highest priority in terms of the platforms we support. When we scrap then, let's use the B2G UA below: Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0
closing for comment 2