From MozillaWiki
Jump to: navigation, search

Mozilla App Project Security

About this Page

This page is meant as a general living resources for security information related to the Mozilla App Store project. Individual formal design and implementation reviews should be stored in separate sub-page.

Introduction to Mozilla App Project

The high level goals of the project can be grouped around:


  • provide an open web app playground for easily building portable apps
  • extend web technologies into new terrain
  • Firefox, JS and IOS/android pieces (maybe chrome os, windows, mac os, etc)

Acquisition and Monetization

  • how to improve the web app discovery/acquisition, monetization, etc. strategy (whether we run the store or not is TBD)

Delivering apps/services via the platform

  • services around contacts, identity, wallet, etc. Note that monetization implies payment implies identity anyway, at minimum.


Platform Detail

(As of 3/31/2011)

  • An appid is basically a URL for a manifest
  • currently contemplating a rule of one app per domain to avoid intra-site security quagmire (vs fighting same-origin)
  • therefore an app is really a domain
  • the UA keeps a list of apps (URLs)
  • apps not required to be hosted on HTTPS (otherwise possible conflict with one-app-per-origin rule?)
  • installed app discovery should be easy & seamless (user-agent UI/dashboard, awesome bar integration, etc.)
  • domain related app management functionality: query if app is installed, version/update check, list apps installed (from that store), list + delete + launch dashboard (ours, potentially 3rd party ones)
  • capabilities was there for a while, but its been pulled for now due to lack of consensus
  • permission UI during install vs. at run time is under discussion
  • sync integration to help propagate apps to end user devices, maybe with metadata to enumerate supported platforms
  • playing with concept apps: web service advertisement and subscription to currently installed apps (i.e. this site provides a photo feed at /services/photostream, would you like to subscribe to it with your Flickr or iPhoto app?)