This article needs a technical review. How you can help.
This article needs an editorial review. How you can help.
This translation is incomplete. Please help translate this article from English.
Frequently asked questions about open web app manifest files.
Why does my app need an app manifest?
The app manifest provides useful information about an app (such as name, author, icon, and description) in a simple document usable by both users and app stores. Most importantly, it will contain a list of Web APIs (such as geolocation) that your App needs. This allows users to make informed decisions about apps before installing them.
Is the Open Web App manifest the same thing as the manifest used for Google Chrome extensions and installable web apps? Or the W3C Widgets manifest? Or the HTML5 cache manifest?
No to all of these. The Open Web App manifest is probably most similar to the Google manifest, but they are not identical. It is intended that the Open Web App manifest will become a standard.
Can Firefox OS apps be installed on other platforms?
Yes. They can be installed on Firefox for Android and Firefox Desktop 29+. For details of how, read these:
What is an origin?
The origin of an app is the protocol, domain, and port of the URL together. Each of the following URLs is a different origin:
https://example.comhttps://example.com:8080(different port)https://example.com(different protocol)https://www.example.comhttps://myapp.example.com(subdomain)
The following URLs are the same origin:
https://Example.com:80https://example.com
The following URLs are the same origin:
https://example.com/drawingApphttps://example.com/notesApp
See Same-origin policy for more information.
Why do I have to host the app manifest at the same origin as my app?
We assume that only you can host an app manifest at the same origin as your app. This means your users can install your app with confidence, knowing that the installation is based on your app manifest and not someone else's. Users should have this confidence whether they're installing your app from Firefox Marketplace, from some other app store, or from your own website if you are self-publishing your app.
If the app manifest were not hosted at the same origin as the app itself, there would be nothing to prevent third parties from making apps directly out of content hosted at your origin. Even worse, third parties could create an app manifest using your branding that would trick users into installing an app that was a facade for stealing passwords or other improper behavior.
Does this mean I can't embed images or JavaScript from other origins?
No. The origin restriction is on content (HTML pages) only. Images and other embedded resources can be located elsewhere (for example, on a content delivery network), except for the app's icon, which must be served from the app's origin.
Can I have more than one app at one origin?
It used to be the case that you could not host more than one app at the same origin (Apps.install would fail with a MULTIPLE_APPS_PER_ORIGIN_FORBIDDEN error). However, the single-app-per-origin restriction has been lifted (see bug 778277) — this change was landed in Gecko 34, meaning that Firefox OS 2.1+, Firefox Desktop 34+ and Firefox for Android 34+ are able to install multiple apps from the same origin.
Note that allowing multiple apps at the same origin doesn't affect our permission model. Say we have three apps at example.com: A, B and C. All three apps have different permissions. If the user installs apps A and B, pages inside app A's context will have A's permissions, pages inside app B's context will have B's permissions, and no pages will have C's permissions.
However, there are some subtle security implications to consider. Any page uploaded to example.com might get navigated to by App A, App B, or App C. That means that such a page *might* potentially run with A's, B's, or C's permissions. So for example there is a chance that the user will install App A, and that App A might navigate to an uploaded page outside the app, in which case the page would run with As permissions, which might not be what the developer of App A expected.
So hosting an app with lots of permissions on the same server as other content that you don't expect to have the same level of permissions is a bad idea, especially if we are talking about apps that deal with sensitive data (e.g. credit card information, customer records.) This could lead to an exploitable vulnerability. You should follow the same security best practices as you would with regular web content — e.g. you would put a sensitive web app on its own domain anyway.
Note: If you need to support old versions of Firefox OS/Desktop/Android, we recommend that you use a separate sub-domain for each of your apps. For example, spreadsheet.mycoolapps.com for one app and texteditor.mycoolapps.com for another. For more information, see Adding a subdomain for an app.
Note: Currently the Firefox Marketplace still enforces the single app per origin restriction, even though devices no longer do. This should hopefully be fixed soon (see bug 1042638.)
Why not just upload the app manifest directly to the Firefox Marketplace?
There are several benefits to hosting the manifest at your domain and providing the app manifest URL to the Marketplace:
- We intend that the Marketplace (and other app stores) will periodically revisit all the app manifests at the provided URLs and check them for updates. This avoids the need for you to re-upload your app manifest for each update.
- The Marketplace will pass both the original app manifest contents as well as its URL to the user's device. This allows the device to check for unexpected changes in the app manifest that might indicate tampering. This will be especially important for apps that use Web APIs (for geolocation for example).
Why does my Web server have to use the proper HTTP Content-Type header when serving my app manifest?
This restriction prevents users of a website that allows user-generated content (for example, a pastebin site) from inadvertently or inappropriately claiming that entire website as their app.
Should I use HTTPS to serve my app manifest?
Yes, it is a good idea. We anticipate that the Firefox Marketplace will require any app using Web APIs (such as Geolocation) to serve its app manifest over HTTPS as an additional defense against man-in-the-middle attacks. If you use HTTPS for your manifest, you must also use it for all the pages on your site.
What if someone else submits my app to the Firefox Marketplace?
In the unfortunate event that someone guesses the URL to your app manifest and submits it to the Firefox Marketplace before you do, please file a complaint with the Marketplace support team.