Validation of a hosted app manifest should fail if the app manifest does an off-origin redirect with any supported user agent on Marketplace

RESOLVED FIXED in 2013-07-11


5 years ago
4 years ago


(Reporter: jsmith, Assigned: basta)






5 years ago
If a hosted app manifest on marketplace does an off-origin redirect, then we should fail validation, as you are not allowed to install hosted apps that have manifests that go off the origin off the app. Given that we know user agent sniffing is problem in the mobile web, we also need to be careful to do this style of check with each supported user agent that we support for installation of web apps (the mobile UAs are more critical here for checking, though). 

See bug 849510 for an example scenario of this problem where an off-origin redirect was observed with a FF Android user agent with the web app manifest, but not seen with other UAs.

Comment 1

5 years ago
Talking with Matt, trying to scrap resources under each supported UA is too resource intensive for us to support right now. However, we could change the default UA we scrap against. The best short-term solution we could do in this bug is set the default UA to do scraping with to the B2G UA, as that's the highest priority in terms of the platforms we support.

When we scrap then, let's use the B2G UA below:

Mozilla/5.0 (Mobile; rv:18.0) Gecko/18.0 Firefox/18.0

Comment 2

5 years ago
closing for comment 2
Assignee: nobody → mattbasta
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2013-07-11
You need to log in before you can comment on or make changes to this bug.