Per Mike Hanson and Ben Adida, we can only allow one application per domain. We should catch this during app submission (i. e., at manifest validation time) when we could issue an error message like "this manifest is invalid, there is already an app manifest for 'appname.companyname.com'" With this domain uniqueness constraint, there's nothing to prevent some random developer from republishing the manifest for Angry Birds at $1 less and steal all of Rovio's revenue. This really should be documented somewhere already.

BTW, this will really frustrate folks doing manual testing on the dev or staging server, where it is very useful to be able to resubmit the same manifest over and over again. Not sure what to do, perhaps make it easier to remove apps from the marketplace?

Was there talk at one point of placing something on the app domain so that we can verify the person uploading the app owns the domain? This sounds like we'll also hit the "first person to get there wins" problem, meaning manual remediation.

This should error in the same place as duplicate name I reckon

I have a patch for this under review but I wanted to quickly answer some questions: - this behavior will be controlled by a config setting so that we can choose to turn it off in the dev sandbox if it becomes annoying - re: 'first person to get there wins' problem. The only way to submit an app is to physically host a manifest file on your app domain and that's how we'll register domains. That's a pretty good verification process although the JavaScript code that currently handles that could use some more reviews to check for spoofing I suppose.

Fixed: https://github.com/mozilla/zamboni/commit/ef5bc76fb2692ef2ce72a348f66f964080b447dc See it in action: https://addons-dev.allizom.org/en-US/developers/app/submit/2 One other addition is that www.appserver.com/my.webapp is treated the same as appserver.com/my.webapp. Nothing else prevents subdomains from creating a unique URL though. In other words, it is possible to submit app1.appserver.com and app2.appserver.com without error.

I'm curious whether this is a limitation of Chrome's hosted web apps. Anyone know?

I get an appropriate error message at https://addons-dev.allizom.org/en-US/developers/app/submit/2

This is currently not working on marketplace dev. I am able to submit two apps off the same origin with no error checking.

Knowing that the developer submission release has already occurred, do we know if there are apps currently submitted that are off the same origin as another app? If that's the case, we need a resolution strategy to clean this up, as this will cause problems for the web runtime.

(In reply to Jason Smith from comment #10) > This is currently not working on marketplace dev. I am able to submit two > apps off the same origin with no error checking. We intentionally don't enforce this restriction on marketplace-dev.allizom.org. We do on marketplace.mozilla.org.

(In reply to Jason Smith from comment #11) > Knowing that the developer submission release has already occurred, do we > know if there are apps currently submitted that are off the same origin as > another app? There are no apps in production that share the same origin as another app.

moving bug back to VERIFIED