All users were logged out of Bugzilla on October 13th, 2018

A way to verify app:// origins in the Firefox Accounts verifier




5 years ago
5 years ago


(Reporter: jedp, Unassigned)


Firefox Tracking Flags

(Not tracked)


If an app posts an identity assertion up to its server, the server should be able to ask the Firefox Accounts verifier to verify the assertion, even if it has an app://something url.

Presently, the verifier rejects such origins - and for good reason, since a url of the form app://{guid} is inherently unverifiable.  But if the app has a stable, if arbitrary, origin in its manifest (the case for packaged apps), then the app's server should be allowed to tell the verifier that this is an accepted origin.

Such a change will require only simple changes to the DOM API, for which we already have Bug 947374, and a simple modification to the verifier.
Depends on: 947374
QA Contact: jparsons


5 years ago
Blocks: 955951
Wait.  What am I talking about.  That's completely irrelevant.  Sorry.  Move along ...
The good :fmarier will open a PR in the new verifier [1] that does something like this PR that I completely forgot I landed in the old verifier last year [2].


Benson, do you know if the new 'browserid-verifier' has been deployed in production yet?  Or are we still using the old 'browserid' verifier for Persona and Firefox Accounts?
Flags: needinfo?(bwong)
@jedp the new verifier ( is deployed at 

Let me know when your PR lands and I will deploy it. 

Flags: needinfo?(bwong)
Thanks, Benson!
Blocks: 947374
No longer depends on: 947374
:fmarier remarks that, according to the unit tests, this feature is already live and deployed on the new verifier.  Thank you, Lloyd.
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.