Hi folks,
I want to raise what I believe is a relatively urgent issue with
packaged apps and web origins:
https://bugzilla.mozilla.org/show_bug.cgi?id=852720
Currently, packaged apps run in an origin that is newly minted for each
device installation, effectively a GUID that differs from device to
device. This works up until the point where the rest of the Web expects
a stable origin across devices, e.g. OAuth and OpenID flows, and
Persona. Since origins are so critical to the Web, I expect to see many
more failures over time.
Can we fix this?
Potch has a great proposal: let apps declare a marketplace in their
manifest. If apps are served from and signed by the marketplace, then
any origin is okay (after review.) If apps are self-hosted, then the
only origin allowed is that of the hosting site.
I suggested a tweak to this: if a packaged app is served from
https://example.com, then it can set an origin of app://example.com, so
that it is stable but also different from the actual hosted origin.
Can we converge on a solution here ASAP? This is now holding up making
Marketplace a packaged app, and I suspect it will bite us again soon.
-Ben
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
