Confirmed users
184
edits
Marketplace/Reviewers/Apps/Testing: Difference between revisions
Marketplace/Reviewers/Apps/Testing (view source)
Revision as of 20:35, 28 August 2013
, 28 August 2013step for "permission descriptions" added
m (spelling) |
(step for "permission descriptions" added) |
||
| Line 49: | Line 49: | ||
* Have a quick look at the '''app manifest''' (the 'View' link next to the manifest url). If the manifest obviously isn't valid JSON/isn't found it won't install anyway. The [https://developer.mozilla.org/docs/Apps/Manifest manifest spec] should be consulted if you aren't sure about syntax. Any issues, reject. | * Have a quick look at the '''app manifest''' (the 'View' link next to the manifest url). If the manifest obviously isn't valid JSON/isn't found it won't install anyway. The [https://developer.mozilla.org/docs/Apps/Manifest manifest spec] should be consulted if you aren't sure about syntax. Any issues, reject. | ||
* Take note of any '''requested permissions''' in the manifest. There is a [[Marketplace/Reviewers/Apps/Permissions|Security Checklist]] of available APIs and what they might be used/abused for, as well as in-depth [https://developer.mozilla.org/en-US/docs/Web/Apps/Security_guidelines Security guidelines for developers and reviewers]. There are only a few APIs are available to hosted/non-privileged apps (alarms, desktop-notification, geolocation, fmradio) | * Take note of any '''requested permissions''' in the manifest. There is a [[Marketplace/Reviewers/Apps/Permissions|Security Checklist]] of available APIs and what they might be used/abused for, as well as in-depth [https://developer.mozilla.org/en-US/docs/Web/Apps/Security_guidelines Security guidelines for developers and reviewers]. There are only a few APIs are available to hosted/non-privileged apps (alarms, desktop-notification, geolocation, fmradio) | ||
* Validate that each '''permission description''' in the manifest uses plain language to accurately and clearly describe the app's use of that permission. Take extra care with every permission that seems unusual or unneccessary for the app's designated purpose. | |||
* Press the install button. It will install natively so on Desktop you have to go find it in your Applications folder, start menu or desktop. On mobile platforms a shortcut will appear on your homescreen. | * Press the install button. It will install natively so on Desktop you have to go find it in your Applications folder, start menu or desktop. On mobile platforms a shortcut will appear on your homescreen. | ||
* Check the '''app's shortcut has an icon'''. The default rocketship icon is not allowed any more. If not, reject (there is a canned response). There is an occasional issue on Windows where sometimes the icon shown is cached from previous installs or appears broken at first so if it seems to be missing open the properties dialog and see if an icon is shown in the dialog. | * Check the '''app's shortcut has an icon'''. The default rocketship icon is not allowed any more. If not, reject (there is a canned response). There is an occasional issue on Windows where sometimes the icon shown is cached from previous installs or appears broken at first so if it seems to be missing open the properties dialog and see if an icon is shown in the dialog. | ||
| Line 72: | Line 73: | ||
* The manifest url (view) link contains a copy of the manifest inside the (zip) package. Check this as you would a hosted app . | * The manifest url (view) link contains a copy of the manifest inside the (zip) package. Check this as you would a hosted app . | ||
* Take note of any '''requested permissions''' in the manifest. There is a [[Marketplace/Reviewers/Apps/Permissions|Security Checklist]] of available APIs and what they might be used/abused for, as well as in-depth [https://developer.mozilla.org/en-US/docs/Web/Apps/Security_guidelines Security guidelines for developers and reviewers]. There are only a few APIs are available to hosted/non-privileged apps (alarms, desktop-notification, geolocation, fmradio) | * Take note of any '''requested permissions''' in the manifest. There is a [[Marketplace/Reviewers/Apps/Permissions|Security Checklist]] of available APIs and what they might be used/abused for, as well as in-depth [https://developer.mozilla.org/en-US/docs/Web/Apps/Security_guidelines Security guidelines for developers and reviewers]. There are only a few APIs are available to hosted/non-privileged apps (alarms, desktop-notification, geolocation, fmradio) | ||
* Validate that each '''permission description''' in the manifest uses plain language to accurately and clearly describe the app's use of that permission. Take extra care with every permission that seems unusual or unneccessary for the app's designated purpose. | |||
* As a last check, look for the '''type''' entry. If there is no type entry in the manifest, or its 'web' the app is unprivileged. If the type is 'privileged' then see the [[#Testing_Procedure_-_.2APrivileged.2A_Packaged_Apps|privileged packaged app section]] below. | * As a last check, look for the '''type''' entry. If there is no type entry in the manifest, or its 'web' the app is unprivileged. If the type is 'privileged' then see the [[#Testing_Procedure_-_.2APrivileged.2A_Packaged_Apps|privileged packaged app section]] below. | ||
* Press the install button. On mobile platforms a shortcut will appear on your homescreen. | * Press the install button. On mobile platforms a shortcut will appear on your homescreen. | ||
| Line 98: | Line 100: | ||
* The first file should be the manifest. | * The first file should be the manifest. | ||
* Take note of any requested permissions in the manifest. There is a [[Marketplace/Reviewers/Apps/Permissions|Security Checklist]] of available APIs and what they might be used/abused for, as well as in-depth [https://developer.mozilla.org/en-US/docs/Web/Apps/Security_guidelines Security guidelines for developers and reviewers]. | * Take note of any requested permissions in the manifest. There is a [[Marketplace/Reviewers/Apps/Permissions|Security Checklist]] of available APIs and what they might be used/abused for, as well as in-depth [https://developer.mozilla.org/en-US/docs/Web/Apps/Security_guidelines Security guidelines for developers and reviewers]. | ||
* Validate that each '''permission description''' in the manifest uses plain language to accurately and clearly describe the app's use of that permission. Take extra care with every permission that seems unusual or unneccessary for the app's designated purpose. | |||
* Read the code in all the files one by one, in particular the .js files (thankfully inline js and external files aren't allowed by the CSP), paying attention to how any permissions requested are used. | * Read the code in all the files one by one, in particular the .js files (thankfully inline js and external files aren't allowed by the CSP), paying attention to how any permissions requested are used. | ||
* It may be necessary to search for and inspect different parts of the files, or other files, to establish how a particular piece of code is used. The validator is your friend as it highlights possible issues, but beware of false positives, and false negatives! | * It may be necessary to search for and inspect different parts of the files, or other files, to establish how a particular piece of code is used. The validator is your friend as it highlights possible issues, but beware of false positives, and false negatives! | ||