Closed
Bug 944482
Opened 11 years ago
Closed 11 years ago
Ensure origin required for paid packaged apps
Categories
(Marketplace Graveyard :: Developer Pages, defect, P5)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: andy+bugzilla, Unassigned)
References
Details
To allow almost server-less in-app payments, we need to enforce paid packaged apps to have an origin. We added origin support in packaged apps, for example bug 878105, but we did not require it.
We would have to block in the payment pages if they wanted to do in-app and an origin was not present.
Hopefully there are no paid packaged apps that do not have an origin, maybe we can do a quick scan before implementing this and check before we turn it on.
|
||
Comment 1•11 years ago
|
||
Non-privileged paid packaged apps can't have an origin.
|
Reporter | |
Comment 2•11 years ago
|
||
Setting priority, will ping teams involved when are ready to go on this.
Priority: -- → P5
|
||
Comment 3•11 years ago
|
||
Why do the apps need an origin? They could simply hard code product IDs and make API calls per product (bug 956351).
The only reason I can think of for needing an origin is for Persona support but I think we don't need that if we get platform support for addReceipt() (bug 757226)
|
|
||
Comment 4•11 years ago
|
||
After chatting on IRC we decided that we don't need to restrict by origin. It doesn't buy us much security.
If a malicious app changes a product ID value in their own app they'd be giving money away to someone else. If they hack another app and change the product ID value to re-route money then, well, they'd have full app access anyway; they can do plenty of other things.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•