Closed
Bug 741490
Opened 13 years ago
Closed 6 years ago
myapps.mozillalabs.com needs permission to access navigator.mozApps.mgmt
Categories
(Core Graveyard :: DOM: Apps, defect)
Core Graveyard
DOM: Apps
Tracking
(firefox13-, firefox14-)
RESOLVED
WONTFIX
People
(Reporter: ianbicking, Assigned: fabrice)
References
Details
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
Gavin
:
review-
|
Details | Diff | Splinter Review |
Right now the myapps dashboard cannot access the navigator.mozApps.mgmt functions without the user putting a setting into about:config (on B2G I believe the homepage is whitelisted for access to the mgmt functions). We need a reasonable way for the dashboard to get access to these APIs. This could be a doorhanger permission dialog.
Comment 1•13 years ago
|
||
Note - This is blocking the marketplace beta release.
Updated•13 years ago
|
Component: General → DOM: Mozilla Extensions
Product: Web Apps → Core
QA Contact: general → general
Updated•13 years ago
|
Whiteboard: [mozappsapi]
Updated•13 years ago
|
Whiteboard: [mozappsapi] → [mozApps API 1.0]
Updated•13 years ago
|
Whiteboard: [mozApps API 1.0] → [mozApps API 1.0] [marketplace-beta?]
Comment 2•13 years ago
|
||
Fabrice - Could you fix this bug? Or is there somebody else you would suggest fixing this?
Assignee | ||
Comment 3•13 years ago
|
||
I can fix it if we're sure which url we want to whitelist
Comment 4•13 years ago
|
||
Bill - What URL do we want to whitelist to allow app management? I know the myapps.mozillalabs.com URL will go away soon, in which it will change over to apps.persona.org.
Reporter | ||
Comment 5•13 years ago
|
||
It will be https://apps.persona.org - can we just add both?
Comment 6•13 years ago
|
||
General question - Why is whitelisting being used in the first place? Do we really need it?
Comment 7•13 years ago
|
||
How will other marketplaces get themselves added to the whitelist ?
-david
Reporter | ||
Comment 8•13 years ago
|
||
The whitelist is more of a short-term solution; we should also have some kind of permission dialog to accomplish the same thing.
Comment 9•13 years ago
|
||
Fabrice - Since the dashboard is hosted on myapps.mozillalabs.com right now, let's go with that for now. When the dashboard location changes, let's then file a new bug to change the whitelist to that new location (apps.persona.org). Do you agree?
Updated•13 years ago
|
Assignee: nobody → fabrice
Assignee | ||
Comment 10•13 years ago
|
||
Attachment #614823 -
Flags: review?(felipc)
Reporter | ||
Comment 11•13 years ago
|
||
We should add https://apps.persona.org – we're planning on switching to that URL in the next couple weeks, and we're certain of the URL.
Assignee | ||
Comment 12•13 years ago
|
||
Added https://apps.persona.org per Ian comment.
Attachment #614823 -
Attachment is obsolete: true
Attachment #614823 -
Flags: review?(felipc)
Attachment #614826 -
Flags: review?(felipc)
Comment 13•13 years ago
|
||
Comment on attachment 614826 [details] [diff] [review]
updated patch
as this is whitelist stuff, I prefer to let gavin do the review here
Attachment #614826 -
Flags: review?(felipc) → review?(gavin.sharp)
Comment 14•13 years ago
|
||
Comment on attachment 614826 [details] [diff] [review]
updated patch
The current whitelist implementation seems to have a couple of problems:
- it uses the permission manager, which only distinguishes hosts, not origins (scheme+host+port). This means that the "https" in these whitelist entries is ignored, and is potentially misleading. If these sites were to be MiTMed, someone would be able to hijack app management, right? You might as well just include "myapps.mozillalabs.com" and have the whitelist pref parsing code just stick in an "http://". This problem also affects our current XPInstall whitelists, but that seems less critical since it only affects the ability to _prompt_ for an install, rather than granting actual permissions.
- it installs the permission entries every time the component is initialized, rather than only once. This means that users can't revoke permissions for these domains. But I guess there's no UI for that anyways?
The first issue seems like something we need to address before adding any whitelist entries, unless I've misunderstood the permissions being granted here.
Attachment #614826 -
Flags: review?(gavin.sharp) → review-
Comment 15•13 years ago
|
||
Need to reevaluate and ask this question again - Does this bug block the marketplace beta release?
Reporter | ||
Comment 16•13 years ago
|
||
I believe it is, we don't have a usable dashboard without it, and in effect the navigator.mozApps.mgmt APIs are unusable.
Updated•13 years ago
|
Whiteboard: [mozApps API 1.0] [marketplace-beta?] → [mozApps API 1.0] [marketplace-beta]
Updated•13 years ago
|
Whiteboard: [mozApps API 1.0] [marketplace-beta] → [marketplace-beta]
Updated•13 years ago
|
Whiteboard: [marketplace-beta] → [marketplace-beta]
Updated•13 years ago
|
tracking-firefox13:
--- → ?
Comment 17•13 years ago
|
||
This code is active in FF 13 right now since the doorhanger code has not been pulled out yet out of FF 13 (tracked in a separate bug). Until the doorhanger code is pulled, this needs to be fixed asap and uplifted.
tracking-firefox14:
--- → ?
Updated•13 years ago
|
Whiteboard: [marketplace-beta] → [marketplace-beta?]
Comment 19•13 years ago
|
||
The fallback dashboard for FF14 for the end users is My Purchases in the Marketplace, so not a blocker.
Whiteboard: [marketplace-beta?]
Comment 20•13 years ago
|
||
Does marketplace.mozilla.org need to be whitelisted as well?
Reporter | ||
Comment 21•13 years ago
|
||
Marketplace doesn't need to be on the whitelist, it only uses APIs that do not require special permissions (stores can query the apps installed by the store itself without special permissions)
Reporter | ||
Comment 22•13 years ago
|
||
After some discussion, apps.persona.org will not be hosting the interface only the polyfill. https://persona.org will host the actual dashboard, which is what needs access to navigator.mozApps.mgmt
Reporter | ||
Comment 23•13 years ago
|
||
Is or will there be progress on this bug? After the last patch was rejected I'm not sure we have a plan to move forward?
Comment 24•12 years ago
|
||
[Triage Comment]
Removing tracking as it seems there is not an urgent need for this in 14, please re-nominate if that changes.
Updated•7 years ago
|
Product: Core → Core Graveyard
Comment 25•6 years ago
|
||
Core Graveyard / DOM: Apps is inactive. Closing all bugs in this component.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•