Right now the myapps dashboard cannot access the navigator.mozApps.mgmt functions without the user putting a setting into about:config (on B2G I believe the homepage is whitelisted for access to the mgmt functions). We need a reasonable way for the dashboard to get access to these APIs. This could be a doorhanger permission dialog.

Note - This is blocking the marketplace beta release.

Fabrice - Could you fix this bug? Or is there somebody else you would suggest fixing this?

I can fix it if we're sure which url we want to whitelist

Bill - What URL do we want to whitelist to allow app management? I know the myapps.mozillalabs.com URL will go away soon, in which it will change over to apps.persona.org.

It will be https://apps.persona.org - can we just add both?

General question - Why is whitelisting being used in the first place? Do we really need it?

How will other marketplaces get themselves added to the whitelist ? -david

The whitelist is more of a short-term solution; we should also have some kind of permission dialog to accomplish the same thing.

Fabrice - Since the dashboard is hosted on myapps.mozillalabs.com right now, let's go with that for now. When the dashboard location changes, let's then file a new bug to change the whitelist to that new location (apps.persona.org). Do you agree?

We should add https://apps.persona.org – we're planning on switching to that URL in the next couple weeks, and we're certain of the URL.

Added https://apps.persona.org per Ian comment.

Comment on attachment 614826 [details] [diff] [review] updated patch as this is whitelist stuff, I prefer to let gavin do the review here

Comment on attachment 614826 [details] [diff] [review] updated patch The current whitelist implementation seems to have a couple of problems: - it uses the permission manager, which only distinguishes hosts, not origins (scheme+host+port). This means that the "https" in these whitelist entries is ignored, and is potentially misleading. If these sites were to be MiTMed, someone would be able to hijack app management, right? You might as well just include "myapps.mozillalabs.com" and have the whitelist pref parsing code just stick in an "http://". This problem also affects our current XPInstall whitelists, but that seems less critical since it only affects the ability to _prompt_ for an install, rather than granting actual permissions. - it installs the permission entries every time the component is initialized, rather than only once. This means that users can't revoke permissions for these domains. But I guess there's no UI for that anyways? The first issue seems like something we need to address before adding any whitelist entries, unless I've misunderstood the permissions being granted here.

Need to reevaluate and ask this question again - Does this bug block the marketplace beta release?

I believe it is, we don't have a usable dashboard without it, and in effect the navigator.mozApps.mgmt APIs are unusable.

This code is active in FF 13 right now since the doorhanger code has not been pulled out yet out of FF 13 (tracked in a separate bug). Until the doorhanger code is pulled, this needs to be fixed asap and uplifted.

No need to track for Firefox 13 since we're already tracking bug 741415.

The fallback dashboard for FF14 for the end users is My Purchases in the Marketplace, so not a blocker.

Does marketplace.mozilla.org need to be whitelisted as well?

Marketplace doesn't need to be on the whitelist, it only uses APIs that do not require special permissions (stores can query the apps installed by the store itself without special permissions)

After some discussion, apps.persona.org will not be hosting the interface only the polyfill. https://persona.org will host the actual dashboard, which is what needs access to navigator.mozApps.mgmt

Is or will there be progress on this bug? After the last patch was rejected I'm not sure we have a plan to move forward?

[Triage Comment] Removing tracking as it seems there is not an urgent need for this in 14, please re-nominate if that changes.

Core Graveyard / DOM: Apps is inactive. Closing all bugs in this component.