Some permissions can be granted automatically for an application type (implicit), while other, high-risk privileges need to be approved by the user (explicit). Currently the only field in the manifest spec (http://mozilla.github.com/webapps-spec/) is "required_features", which is insufficient. We can either add "optional_features" to the manifest, or replace "required_features" with simply a list of requested "permissions".

Note that only permissions enumerated in the manifest should be available to an application. This holds true whether they are implicit or explicit permissions.

I don't think we want to use the "required_features" part. That is designed to enumerate the platform capabilities that the app needs in order to show up in the app store. For example that the app needs a specific screen size, or for the runtime to implement DOM4 Core. I filed bug 772358 on an explicit new manifest property which just enumerates security aspects. With that I think we should WONTFIX this bug.

I don't think we should use "required_features" either. The gist of this bug was that we should enumerate permissions in the manifest. The key question is I guess whether we want to have separate groups of explicit vs implicit permissions or have them all in one list. After giving it more thought, I'm inclined to go with the latter.