All users were logged out of Bugzilla on October 13th, 2018

A way to verify app:// origins in the Firefox Accounts verifier

RESOLVED FIXED

Status

()

RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jedp, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

If an app posts an identity assertion up to its server, the server should be able to ask the Firefox Accounts verifier to verify the assertion, even if it has an app://something url.

Presently, the verifier rejects such origins - and for good reason, since a url of the form app://{guid} is inherently unverifiable.  But if the app has a stable, if arbitrary, origin in its manifest (the case for packaged apps), then the app's server should be allowed to tell the verifier that this is an accepted origin.

Such a change will require only simple changes to the DOM API, for which we already have Bug 947374, and a simple modification to the verifier.
Depends on: 947374
QA Contact: jparsons

Updated

5 years ago
Blocks: 955951
Wait.  What am I talking about.  That's completely irrelevant.  Sorry.  Move along ...
The good :fmarier will open a PR in the new verifier [1] that does something like this PR that I completely forgot I landed in the old verifier last year [2].

[1] https://github.com/mozilla/browserid-verifier
[2] https://github.com/mozilla/persona/pull/3334

Benson, do you know if the new 'browserid-verifier' has been deployed in production yet?  Or are we still using the old 'browserid' verifier for Persona and Firefox Accounts?
Flags: needinfo?(bwong)
@jedp the new verifier (https://github.com/mozilla/browserid-verifier) is deployed at verifier.accounts.firefox.com. 

Let me know when your PR lands and I will deploy it. 

Ben
Flags: needinfo?(bwong)
Thanks, Benson!
Blocks: 947374
No longer depends on: 947374
:fmarier remarks that, according to the unit tests, this feature is already live and deployed on the new verifier.  Thank you, Lloyd.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.