Mozilla App Project Security

About this Page

This page is meant as a general living resources for security information related to the Mozilla App Store project. Individual formal design and implementation reviews should be stored in separate sub-page.

Introduction to Mozilla App Project

The high level goals of the project can be grouped around:

Platform

• provide an open web app playground for easily building portable apps
• extend web technologies into new terrain
• Firefox, JS and IOS/android pieces (maybe chrome os, windows, mac os, etc)

Acquisition and Monetization

• how to improve the web app discovery/acquisition, monetization, etc. strategy (whether we run the store or not is TBD)

Delivering apps/services via the platform

• services around contacts, identity, wallet, etc. Note that monetization implies payment implies identity anyway, at minimum.

Resources

• Technical docs: https://developer.mozilla.org/en/OpenWebApps
• Main site: https://apps.mozillalabs.com

Platform Detail

(As of 3/31/2011)

• An appid is basically a URL for a manifest
• currently contemplating a rule of one app per domain to avoid intra-site security quagmire (vs fighting same-origin)
• therefore an app is really a domain
• the UA keeps a list of apps (URLs)
• apps not required to be hosted on HTTPS (otherwise possible conflict with one-app-per-origin rule?)
• installed app discovery should be easy & seamless (user-agent UI/dashboard, awesome bar integration, etc.)
• domain related app management functionality: query if app is installed, version/update check, list apps installed (from that store), list + delete + launch dashboard (ours, potentially 3rd party ones)
• capabilities was there for a while, but its been pulled for now due to lack of consensus
• permission UI during install vs. at run time is under discussion
• sync integration to help propagate apps to end user devices, maybe with metadata to enumerate supported platforms
• playing with concept apps: web service advertisement and subscription to currently installed apps (i.e. this site provides a photo feed at /services/photostream, would you like to subscribe to it with your Flickr or iPhoto app?)

Milestones

• 2011/3 First Developer Release: http://mozillalabs.com/blog/2011/03/first-developer-release-of-web-apps-project/
• As of 4/1/11: Currently working on PRD, rough draft after all-hands and meet during platform work week. Mike Hanson working on general architectural overview, can have something ready for above meeting.