Frequently asked questions about open web app manifest files.
Why does my app need an app manifest?
The app manifest provides useful information about an app (such as name, author, icon, and description) in a simple document usable by both users and app stores. Most importantly, it will contain a list of Web APIs (such as geolocation) that your App needs. This allows users to make informed decisions about apps before installing them.
Is the Open Web App manifest the same thing as the manifest used for Google Chrome extensions and installable web apps? Or the W3C Widgets manifest? Or the HTML5 cache manifest?
No to all of these. The Open Web App manifest is probably most similar to the Google manifest, but they are not identical. It is intended that the Open Web App manifest will become a standard.
What is an origin?
The origin of an app is the protocol, domain, and port of the URL together. Each of the following URLs is a different origin:
https://example.comhttps://example.com:8080(different port)https://example.com(different protocol)https://www.example.comhttps://myapp.example.com(subdomain)
The following URLs are the same origin:
https://Example.com:80https://example.com
The following URLs are the same origin:
https://example.com/drawingApphttps://example.com/notesApp
See Same-origin policy for more information.
Why do I have to host the app manifest at the same origin as my app?
We assume that only you can host an app manifest at the same origin as your app. This means your users can install your app with confidence, knowing that the installation is based on your app manifest and not someone else's. Users should have this confidence whether they're installing your app from Firefox Marketplace, from some other app store, or from your own website if you are self-publishing your app.
If the app manifest were not hosted at the same origin as the app itself, there would be nothing to prevent third parties from making apps directly out of content hosted at your origin. Even worse, third parties could create an app manifest using your branding that would trick users into installing an app that was a facade for stealing passwords or other improper behavior.
Does this mean I can't embed images or JavaScript from other origins?
No. The origin restriction is on content (HTML pages) only. Images and other embedded resources can be located elsewhere (for example, on a content delivery network), except for the app's icon, which must be served from the app's origin.
Can I have more than one app at my origin?
For now, there can be only one app per origin. In a future version of FirefoxOS, it will be possible to have multiple apps per origin. Follow the status of bug 778277 to follow progress on this topic.
In the meantime, we recommend that you use a separate subdomain for each of your apps. For example, spreadsheet.mycoolapps.com for one app and texteditor.mycoolapps.com for another. For more information, see Adding a subdomain for an app.
Why not just upload the app manifest directly to the Firefox Marketplace?
There are several benefits to hosting the manifest at your domain and providing the app manifest URL to the Marketplace:
- We intend that the Marketplace (and other app stores) will periodically revisit all the app manifests at the provided URLs and check them for updates. This avoids the need for you to re-upload your app manifest for each update.
- The Marketplace will pass both the original app manifest contents as well as its URL to the user's device. This allows the device to check for unexpected changes in the app manifest that might indicate tampering. This will be especially important for apps that use Web APIs (for geolocation for example).
Why does my Web server have to use the proper HTTP Content-Type header when serving my app manifest?
This restriction prevents users of a website that allows user-generated content (for example, a pastebin site) from inadvertently or inappropriately claiming that entire website as their app.
Should I use HTTPS to serve my app manifest?
Yes, it is a good idea. We anticipate that the Firefox Marketplace will require any app using Web APIs (such as geolocation) to serve its app manifest over HTTPS as an additional defense against man-in-the-middle attacks. If you use HTTPS for your manifest, you must also use it for all the pages on your site.
What if someone else submits my app to the Firefox Marketplace?
In the unfortunate event that someone guesses the URL to your app manifest and submits it to the Firefox Marketplace before you do, please file a complaint with the Marketplace support team.