If an app posts an identity assertion up to its server, the server should be able to ask the Firefox Accounts verifier to verify the assertion, even if it has an app://something url. Presently, the verifier rejects such origins - and for good reason, since a url of the form app://{guid} is inherently unverifiable. But if the app has a stable, if arbitrary, origin in its manifest (the case for packaged apps), then the app's server should be allowed to tell the verifier that this is an accepted origin. Such a change will require only simple changes to the DOM API, for which we already have Bug 947374, and a simple modification to the verifier.

Awesome. trustedIssuers is already a part of the current verifier: https://github.com/mozilla/browserid-verifier#optional-array-of-strings-trustedissuers

Wait. What am I talking about. That's completely irrelevant. Sorry. Move along ...

The good :fmarier will open a PR in the new verifier [1] that does something like this PR that I completely forgot I landed in the old verifier last year [2]. [1] https://github.com/mozilla/browserid-verifier [2] https://github.com/mozilla/persona/pull/3334 Benson, do you know if the new 'browserid-verifier' has been deployed in production yet? Or are we still using the old 'browserid' verifier for Persona and Firefox Accounts?

@jedp the new verifier (https://github.com/mozilla/browserid-verifier) is deployed at verifier.accounts.firefox.com. Let me know when your PR lands and I will deploy it. Ben

Thanks, Benson!

:fmarier remarks that, according to the unit tests, this feature is already live and deployed on the new verifier. Thank you, Lloyd.