Closed
Bug 832960
Opened 12 years ago
Closed 11 years ago
Geolocation and desktop notification should require a manifest entry for apps on Android
Categories
(Core :: DOM: Device Interfaces, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: eviljeff, Assigned: marco)
References
Details
(Whiteboard: [A4A])
Attachments
(1 file, 2 obsolete files)
(deleted),
patch
|
mfinkle
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #823974 +++
Geolocation should require a manifest entry for all apps, like all other webapi permissions. If that is not present, the request should be denied.
This bug is to implement in Android (Aurora, 20) if possible.
Comment 1•12 years ago
|
||
Confirmed that this doesn't magically work on Android post the patch in bug 823974.
Going to generalize this geolocation and desktop notifications, as the same problem applies to both.
Summary: Geolocation should require a manifest entry for apps (Android) → Geolocation and desktop notification should require a manifest entry for apps on Android
Whiteboard: A4A?
Comment 2•12 years ago
|
||
Jonas, if I remember right, we are expecting these prompts, right?
Updated•12 years ago
|
Flags: needinfo?(jonas)
Comment 3•12 years ago
|
||
I believe this should be marked INVALID. Per the spreadsheet Lucas Adamski has created to track these things, we treat unprivileged, privileged, and certified apps the same -- all are allowed to do geolocation, and all must prompt when the API is invoked. There are some slight differences about whether we remember your preference, but we should never deny geolocation outright.
Comment 4•12 years ago
|
||
(In reply to Bill Walker [:bwalker] [@wfwalker] from comment #3)
> I believe this should be marked INVALID. Per the spreadsheet Lucas Adamski
> has created to track these things, we treat unprivileged, privileged, and
> certified apps the same -- all are allowed to do geolocation, and all must
> prompt when the API is invoked. There are some slight differences about
> whether we remember your preference, but we should never deny geolocation
> outright.
No. We changed that requirement per Lucas that an app developer is required to declare geolocation and desktop notification in the permissions property in order to use the API in a web app. I can find the bug that talked about this, but security has made this a firm requirement to allow reviewers to have a clear picture of what permissions are being requested by the app.
Flags: needinfo?(jonas)
Comment 5•12 years ago
|
||
Actually, bug 823974 has the rationale here, filed by Lucas himself. I confirmed also this is the current behavior on FF OS not too long ago as well.
Reporter | ||
Comment 6•12 years ago
|
||
Can we generalise this to Desktop also? It would be ideal if permissions didn't diverge too much.
Comment 7•12 years ago
|
||
(In reply to Andrew Williamson [:eviljeff] from comment #6)
> Can we generalise this to Desktop also? It would be ideal if permissions
> didn't diverge too much.
Yeah, we should probably get an equivalent bug filed for this for desktop.
Comment 8•12 years ago
|
||
I have very very very strong reservations against doing this.
Mostly, this seems to move us to the Android/iOS model of permissions? I don't like Android's model, and haven't met anyone who does either, including all of the security folks at Mozilla I've talked to. We've very intentionally spent a lot of time designing something different and better for both the web and apps. Why are we throwing it away?
Comment 9•12 years ago
|
||
I'll put needsinfo on Lucas to explain this.
Note that this actually did go through intense debate for a while, but I believe the final rationale for going with it was due to the need to allow a reviewer to understand exactly what permissions are being requested by the app and only granting them when they are specified as a result.
Flags: needinfo?(ladamski)
Comment 10•12 years ago
|
||
Yeah, I read that above. That makes even less sense to me since we're talking about hosted apps for the most part here.
Comment 11•12 years ago
|
||
I think the rationale was covered in bug 923974 esp https://bugzilla.mozilla.org/show_bug.cgi?id=823974#c6, but to recap, the model for apps is that all potentially privacy and security impactful permissions need to be enumerated in the manifest, regardless of whether they are implicit or explicit. Geolocation was the sole and confusing exception to that, and that bug fixed that one exception. The exception made little sense since the developer controls the manifest, and if they want to use geolocation they can simply add it like every other permission they want to use.
Flags: needinfo?(ladamski)
Comment 12•12 years ago
|
||
(In reply to Lucas Adamski from comment #11)
> model for apps is that all potentially privacy and security impactful
> permissions need to be enumerated in the manifest, regardless of whether
> they are implicit or explicit.
Yes, I read that part. My question has more to do with this "model", not with whether or not we're going to be consistent. We're moving control from the user to the app developer.
The manifest documentation has a great example of this:
https://developer.mozilla.org/en-US/docs/Apps/Manifest#permissions
i.e. that app requests contacts permissions just so it can do autocomplete in a form field, a feature that I'd gladly opt out of and that apps already have a history of abusing on iOS and Android. Rather than encouraging developers to write apps that will work with or without a permission, we've moved to a model where you can't even try the app without giving it your private info.
Comment 13•12 years ago
|
||
(In reply to Wesley Johnston (:wesj) from comment #12)
> (In reply to Lucas Adamski from comment #11)
> > model for apps is that all potentially privacy and security impactful
> > permissions need to be enumerated in the manifest, regardless of whether
> > they are implicit or explicit.
>
> Yes, I read that part. My question has more to do with this "model", not
> with whether or not we're going to be consistent. We're moving control from
> the user to the app developer.
>
> The manifest documentation has a great example of this:
> https://developer.mozilla.org/en-US/docs/Apps/Manifest#permissions
>
> i.e. that app requests contacts permissions just so it can do autocomplete
> in a form field, a feature that I'd gladly opt out of and that apps already
> have a history of abusing on iOS and Android. Rather than encouraging
> developers to write apps that will work with or without a permission, we've
> moved to a model where you can't even try the app without giving it your
> private info.
I think you misunderstand how the model works at a fundamental level. The geolocation permission is explicit, so putting the permission in the manifest only allows the app to request geolocation from the user. The user still has to grant it. If anything it gives the user extra control because they can understand what the app *might* request of them before installing it, knowing if its not in the manifest it cannot be accessed implicitly or explicitly. Same for contacts, etc.
Comment 14•12 years ago
|
||
Ahh. OK! Great! That makes me much more comfortable. Thanks for the clarification!
Comment 15•12 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #1)
> Confirmed that this doesn't magically work on Android post the patch in bug
> 823974.
>
> Going to generalize this geolocation and desktop notifications, as the same
> problem applies to both.
Does anyone know why this does not magically work on Android? What about this is Android specific?
Comment 16•12 years ago
|
||
(In reply to Mark Finkle (:mfinkle) from comment #15)
> (In reply to Jason Smith [:jsmith] from comment #1)
> > Confirmed that this doesn't magically work on Android post the patch in bug
> > 823974.
> >
> > Going to generalize this geolocation and desktop notifications, as the same
> > problem applies to both.
>
> Does anyone know why this does not magically work on Android? What about
> this is Android specific?
Hmm...Jonas?
Flags: needinfo?(jonas)
The reason bug 823974 doesn't fix this is because we implemented it there as part of the IPC code, which I don't think Android goes through.
In general the situation around prompts on B2G is pretty bad and we've ended up with much more inconsistencies and workarounds than we should have had.
Flags: needinfo?(jonas)
Updated•12 years ago
|
Whiteboard: A4A? → A4A
Updated•12 years ago
|
Priority: -- → P1
Whiteboard: A4A → [A4A]
Comment 18•12 years ago
|
||
(In reply to Lucas Adamski [:ladamski] (plz needinfo) from comment #11)
> I think the rationale was covered in bug 923974 esp
> https://bugzilla.mozilla.org/show_bug.cgi?id=823974#c6, but to recap, the
> model for apps is that all potentially privacy and security impactful
> permissions need to be enumerated in the manifest, regardless of whether
> they are implicit or explicit. Geolocation was the sole and confusing
> exception to that, and that bug fixed that one exception. The exception
> made little sense since the developer controls the manifest, and if they
> want to use geolocation they can simply add it like every other permission
> they want to use.
This is a completely broken security model which leads to most users clicking the "yea, sure, whatever" button to install the app.
A much better model would be to require that the app declare that it might request permission for geolocation and still show the prompt when it it asks. That would give the user better control over their privacy and security decisions as the request comes with some context of what the app is doing.
Reporter | ||
Comment 19•12 years ago
|
||
(In reply to Brad Lassey [:blassey] from comment #18)
> A much better model would be to require that the app declare that it might
> request permission for geolocation and still show the prompt when it it
> asks. That would give the user better control over their privacy and
> security decisions as the request comes with some context of what the app is
> doing.
Isn't that what we're doing when this bug is fixed?? (Like we do already on FirefoxOS)
Comment 20•12 years ago
|
||
(In reply to Andrew Williamson [:eviljeff] from comment #19)
> (In reply to Brad Lassey [:blassey] from comment #18)
> > A much better model would be to require that the app declare that it might
> > request permission for geolocation and still show the prompt when it it
> > asks. That would give the user better control over their privacy and
> > security decisions as the request comes with some context of what the app is
> > doing.
>
> Isn't that what we're doing when this bug is fixed?? (Like we do already on
> FirefoxOS)
Yup. That's what this bug is fixing.
The way the security model works is
- No permission specified = automatic denial to WebAPI
- Permission specified = follow the security model rules for the specific WebAPI to either automatically allow, prompt for access, or deny.
Comment 21•12 years ago
|
||
What Andrew and Jason said.
Assignee | ||
Comment 22•11 years ago
|
||
Comment 23•11 years ago
|
||
Comment on attachment 779270 [details] [diff] [review]
Patch
I'm assuming you are looking for reviewer.
Maybe Mark can help with the review?
Attachment #779270 -
Flags: review? → review?(mark.finkle)
Comment 24•11 years ago
|
||
Comment on attachment 779270 [details] [diff] [review]
Patch
>diff --git a/mobile/android/components/ContentPermissionPrompt.js b/mobile/android/components/ContentPermissionPrompt.js
>- if (result == Ci.nsIPermissionManager.DENY_ACTION) {
>+ if (result == Ci.nsIPermissionManager.DENY_ACTION ||
>+ (result == Ci.nsIPermissionManager.UNKNOWN_ACTION && !!kEntities[request.type])) {
No need to wrap the line for android JS
Attachment #779270 -
Flags: review?(mark.finkle) → review+
Assignee | ||
Updated•11 years ago
|
Keywords: checkin-needed
Comment 26•11 years ago
|
||
Keywords: checkin-needed
Comment 27•11 years ago
|
||
This made bug 857240 perma-fail. See some of the recent TBPLbot comments there for logs. Backed out.
https://hg.mozilla.org/integration/mozilla-inbound/rev/8bd708f9171b
Assignee | ||
Comment 28•11 years ago
|
||
Attachment #779841 -
Attachment is obsolete: true
Attachment #782812 -
Flags: review?(mark.finkle)
Comment 29•11 years ago
|
||
Comment on attachment 782812 [details] [diff] [review]
Patch v2
Make a Try run just to be safe
Attachment #782812 -
Flags: review?(mark.finkle) → review+
Assignee | ||
Comment 30•11 years ago
|
||
(In reply to Mark Finkle (:mfinkle) from comment #29)
> Make a Try run just to be safe
Aready did :)
Keywords: checkin-needed
Comment 31•11 years ago
|
||
Keywords: checkin-needed
Comment 32•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•