Trusted apps that want access to APIs beyond those exposed to normal web pages should enumerate these requested privileges along with a reason for why they are requested. We should then at install time and update time update the data in the permission manager such that we enumerate both the API which trusted apps implicitly get access to, and to enumerate the APIs which the app can prompt about. I'm not sure if anything is involved in adding more properties to the manifest. If so that work should happen in this bug. If not, the only work we need to do in this bug is to specify the exact format for how permissions are expressed in the manifest. The work to copy data into the permission manager, as well as display that data in various pieces of UI, will happen in separate bugs.

Will this format apply only to trusted (and certified?) applications or will it apply also to normal web content that requires access to some elevated privileges? Also, isn't bug https://bugzilla.mozilla.org/show_bug.cgi?id=768931 a subset of this one?

It applies to web installed, trusted and certified apps, but not normal web content (which does not have a manifest). Yes, its perhaps a little surprising to enumerate for installed apps and not web content, but the experience for the user is no different and at least we have consistency in the manifest format and between app types.

Anant - Can we get an update on the spec piece on this bug?

We're working with the B2G folks to describe a common list of permissions. Work is progressing, I will update the bug when we are done.

Does this depend on bug 778326 ?

Seems like it.

Anant, what is the status of this bug? Isn't this what Gregor did already?

I believe this bug reflects the need to update the manifest spec to document how permissions are defined. I agree the bulk of the hard work has been done in the dependent bug. Anant?

https://github.com/mozilla/webapps-spec/commit/cdae925cc5b98537164fd9182be9e8827482044a Done, thanks to all the hard work by Gregor & others!