Re: installs_allowed_from and openness
On 06/29/2012 07:14 AM, Benjamin Smedberg wrote: 1) the ability to store data. We can allow this because the user has easy control over this by uninstalling the application 2) the ability to suppress security UI such as the location bar. We can allow this because we tell the user at install time what domain the content is coming from. So in general there is nothing a webapp can do by default which can't be undone by the user simply uninstalling the app. This is completely different from an ActiveX install, where you have to trust that the code won't do bad things. In general, trying a webapp *should* be as lightweight as clicking a link. I don't think it is, neither do I think it is realistic for us to try and make it so (for all kinds of apps, at-least). This becomes especially apparent on B2G, for sensitive apps like the dialer, SMS. For some other APIs like camera access, certified/trusted apps get some extra perks like being able to enumerate all local media devices. In our current security model: https://wiki.mozilla.org/Apps/Security#Types_of_applications we have installed trusted applications and certified applications, and these two definitely way beyond any normal web page. The problem is that the nature of a web page is at direct odds with some security requirements, hence the need for another conceptual wrapper: the webapp. -Anant ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 29/05/12 22:48, Asa Dotzler wrote: On 5/29/2012 8:59 AM, Mounir Lamouri wrote: Im my opinion, if you give the tools for an application developer to do a whitelist of marketplaces allowed to install its application, you are giving the tools to prevent openness. That sounds an awful lot like the kinds of arguments the walled gardens are making. IF you give developers power and control, they'll abuse it so we're better off not giving it. There are certainly some sorts of power and control we don't want to give developers. The power to send 20 texts without a prompt to a premium-rate SMS number when the app is installed, for example. Your generalization isn't helpful; you need to be more specific about why this particular capability is important enough to free app developers to override my desire as a website creator to facilitate people installing their app because I think it's great. Gerv ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 29/05/12 22:44, Asa Dotzler wrote: It seems to me you're making a lot of assumptions here. This is an app developer control point, not a Mozilla control point and I don't see any evidence that Mozilla is trying to persuade free app developers to only use our store. Our sample file: https://developer.mozilla.org/en/Apps/Manifest uses install_allowed_from, pointing to our store. Lots of people will cut and paste that file; lots of free apps will only be installable from our marketplace; marketplace diversity will suffer. One argument here has been we should provide the capability, but * is the default, so it's OK. Can we then at least agree to remove it from the sample code which will get copy and pasted? The sample code doesn't have every optional field in it (see launch_path for an example of an ommitted one). We should even go further, and put in a note which says if your app is paid, you should list the stores you have a relationship with here; if your app is free, for widest distribution you should leave this field as the default. To the contrary, we're doing an amazing amount of work to make it possible for app authors to host where ever they would like to host, including self-hosting. This is not about where app authors host their apps, it's about where an install can be triggered from. What is wrong with the analogy between this facility (requiring permission to link to an app) and requiring permission to link to a website? If the web had started that way, it would not be the open platform it is today. If I'm missing something, and we are trying to persuade free app developers to only allow our store, please point me to where that is happening. See above. Gerv ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 5/31/2012 4:48 AM, Gervase Markham wrote: What is wrong with the analogy between this facility (requiring permission to link to an app) and requiring permission to link to a website? Installing an app is not the same thing as visiting a website. - A ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 05/29/2012 03:26 AM, Gervase Markham wrote: On 28/05/12 17:25, Anant Narayanan wrote: Here is my proposal: we extend the manifest (if it doesn't do this already) to clearly distinguish between free and paid apps. We then update the spec to say that install_allowed_from is only honoured for paid apps, as part of the mechanism to make sure the right person gets paid. We cannot do this unless we change the whole architecture of how apps are installed. Doing: 1) Having an extra mandatory parameter in a manifest with the value paid or free; and 2) not honouring install_allowed_from for apps marked free would require changing the entire installation architecture? I can't see how... Because users are unable to see either the origin (domain name) or the app's website at the time of install. The store is the last point at which a user makes a install-or-no decision. Try and install an app from the Mozilla Marketplace, I can't; you don't support Linux. You won't even let me try the app out in the browser, because you have some JS which prevents me. :-( In that case, try installing an app from https://apps.mozillalabs.com/appdir/ and then looking at your apps dashboard at https://myapps.mozillalabs.com/ Your phrasing comes off as hostile, I would have greatly preferred if you had used the term we instead of you. We, Mozilla, are all in this together. you'll see that there is no interaction between the user and the app developer until after they've installed and run the app. The developer is trusting the Marketplace to correctly represent their app, which is why they chose to list there. I can't see the connection between this point and my suggestion. Perhaps I didn't explain my proposal well enough; see above for another attempt. Perhaps I didn't explain myself well enough either, simply adding a field to the manifest is not sufficient. When you install Favimon for example, from our appdir I linked above - you are relying entirely on the appdir to make the decision to install the app. Unlike a link, app installs are immediate, and done in the context of the page that triggered the install. The user has not had a chance to interact either with Favimon or its developer, and does not know what domain Favimon is hosted at until the app is launched. This is very much relevant to installs_allowed_from, because developers (of free and paid apps) may want to restrict their app from being listed everywhere because they only trust certain stores to faithfully represent their app. This is not a problem with hyperlinks, because irrespective of what the page linking to something says about that link, the user will ultimately land at the thing the link points to. But app installs are not hyperlinks. -Anant ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 29/05/12 14:55, Anant Narayanan wrote: Because users are unable to see either the origin (domain name) or the app's website at the time of install. The store is the last point at which a user makes a install-or-no decision. Why is that? Surely it makes sense to show the origin of the application at the time of install? Try and install an app from the Mozilla Marketplace, I can't; you don't support Linux. You won't even let me try the app out in the browser, because you have some JS which prevents me. :-( In that case, try installing an app from https://apps.mozillalabs.com/appdir/ Error in installation: [object DOMError] :-( As you know, I am using Linux. Is this a bug I should file, or expected? Your phrasing comes off as hostile, I would have greatly preferred if you had used the term we instead of you. We, Mozilla, are all in this together. You as in the Marketplace team. I confess it is a little annoying to be told well, try it out when you've already made a decision that it's not necessary (in the first revision) to support my OS. But it's more annoying that you've also made an explicit decision to write code to stop me trying out apps in the browser even if my browser doesn't support WebRT. As noted elsewhere in this group, I think that's a mistake on the grounds of principle. Unlike a link, app installs are immediate, and done in the context of the page that triggered the install. The user has not had a chance to interact either with Favimon or its developer, and does not know what domain Favimon is hosted at until the app is launched. Surely the domain is in the manifest? Otherwise, the UA doesn't know what page to load when running the app. This is very much relevant to installs_allowed_from, because developers (of free and paid apps) may want to restrict their app from being listed everywhere because they only trust certain stores to faithfully represent their app. That is the point at issue. But you are claiming that the entire installation architecture needs to change if we decide not to let developers do that. That would only make any sense if installs_allowed_from were mandatory; but you've said it's optional. So how can ignoring it in some cases suddenly break everything? Gerv ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 05/28/2012 09:06 AM, Anant Narayanan wrote: On 05/28/2012 03:03 AM, Gervase Markham wrote: Are you saying that we are coding up a system where users can install apps without knowing where they come from? Yes, but only if we remove the ability for developers to specify installs_allowed_from. In the default case, we are trusting the site listing the app (store, directory, etc.) to inform the user about where the app is coming form. That's no true. The UA, when showing the install confirmation dialog has an opportunity to display something like Are you sure you want to install this great app from greatapp.com? - even if this comes from a store at another domain. Fabrice -- Fabrice Desré b2g team Mozilla Corporation ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 24/05/12 18:29, Anant Narayanan wrote: I disagree that it's the same thing. Well, *technically* it might be the same, but in practice that's not how users (or developers) perceive it. You have to show also that the differences in perception are relevant to the argument. Clicking an install button is just not the same as clicking a hyperlink. Context is very important for the former. The context of _where the app comes from_ is important for the former. The context of _where the button is_ is not important. Would you be okay with allowing any site on the internet to distribute Firefox? I certainly wouldn't be. BTW, I would - and thousands of sites do. Why would you stop them? We are actively encouraging developers to not think of apps simply as websites, as you note, that leads to a poor user experience. Not necessarily. Sometimes _presenting_ websites as apps or apps as websites can lead to a poor user experience, but not necessarily, and the level of experience isn't just about what the app/site provides in terms of UI - see my response to Bill. But this is a different difference to the linkability difference. Let's talk about one difference at a time. It's all the web under the hood, the tools and technologies are identical, but the design and interface of an app, as well as the general user experience of finding and acquiring an app is *vastly* different from browsing the internet and visiting web pages. I don't think we should be pretending that they're the same, because they're not. That's a straw man; no one (at least, not me) is saying that we should pretend they are the same in all respects. The question is whether they should be the same in respect of anyone on the web can link you to another website and anyone on the web can link you to an app. I'd say universal linkability is one of the key things which has made the web what it is today. It's very much in line with Mozilla's no gatekeepers on the Internet thing. Why would we want to go out of our way to break that feature for apps? Gerv ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 24/05/12 17:09, Anant Narayanan wrote: The user is trusting the UA to implement the apps specification correctly. Why would the UA want to implement it correctly if it was in the user's best interest to implement it wrongly? It is the _user_ agent, after all. Gerv ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 24/05/12 16:57, Jim Straus wrote: Hello - People can certainly created rogue UAs that can bypass much more than installs_allowed_from. But I don't think manufacturers are likely to do this as they know it would seriously impact the ecosystem of stores/developers/devices as it would be a disincentive for developers to develop for the platform. Oh no, lots of websites are linking to my free app without my permission! I'd better stop writing apps! ? Sounds like a success condition rather than a failure to me... an manufacturer distribution. As mentioned previously, if an author wants, they can allow for distribution from any place using the *. but it is ultimately up to the app developer to make that choice. That last statement is an assertion. Do you believe that it's also up to a website owner to decide who links to him? If that had been the case from the beginning of the web, the web would not be the place it is today. Gerv ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 5/25/12 8:43 AM, Gervase Markham wrote: On 24/05/12 18:29, Anant Narayanan wrote: Clicking an install button is just not the same as clicking a hyperlink. Context is very important for the former. The context of _where the app comes from_ is important for the former. The context of _where the button is_ is not important. These two are contradictory statements. The user has no way of knowing where the app comes from by clicking an install button on a third party page. Would you be okay with allowing any site on the internet to distribute Firefox? I certainly wouldn't be. BTW, I would - and thousands of sites do. Why would you stop them? Perhaps the Firefox analogy isn't the right one because the user actually gets a file which is the point at which the install actually happens and is in Mozilla's control (downloading from the website was not installing firefox). To correct my earlier question, would you be comfortable with any random website be able to control the *installer*, and in general, the install experience for Firefox? I'd say universal linkability is one of the key things which has made the web what it is today. It's very much in line with Mozilla's no gatekeepers on the Internet thing. Why would we want to go out of our way to break that feature for apps? I agree that linkability is a key feature of the web and that we should maintain that for apps. Nobody is suggesting that we prevent people from linking to apps, anybody can always link the the app's page on a marketplace, or even better, to the developer's site itself where there's a big shiny install button for a self-install. The spec disallows a *direct* install from a third party page, if the developer chooses to disallow it - again, the default is open. The distinction is important because in a direct install flow, there is the risk that a user will perceive that the app comes from the site they're at right now rather than the actual author. -Anant ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 5/24/2012 9:04 AM, Benjamin Smedberg wrote: While installs_allowed_from may be necessary for paid apps (in order to keep people from being tricked into paying for something which they then can't receive), it is overall a necessary evil, and if we could distinguish in some other way between paid and nonpaid apps, we (the Mozilla UAs) *shouldn't* honor it for nonpaid apps. In general, we should be giving the most control to the user, not to the developer. Why shouldn't we giving control to the developer? They are the ones who wrote the app, why do you think we should be deciding how and where they are acquired? I'm all for giving control to the user, but in this particular instance, giving them control isn't really meaningful. Would you be okay with allowing any site on the internet to distribute Firefox? I certainly wouldn't be. -Anant ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 05/23/2012 05:17 AM, Gervase Markham wrote: On 22/05/12 16:42, Benjamin Smedberg wrote: Why? I think I disagree with this decision. What is different between listing an app on a store and linking to a website? Unless you have to pay for the app, they are fundamentally the same action. Presumably google search can be used for apps, no? Also, what is to stop a particular implementation from simply ignoring install_allowed_from for free apps? Nothing, like for many other things you trust your UA. And yes, an add-on can also override the behavior if you want so. Fabrice -- Fabrice Desré b2g team Mozilla Corporation ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 05/23/2012 12:27 PM, Mark Giffin wrote: Anant, the current MDN docs for installs_allowed_from say the default is this: If omitted, installation may be triggered only from the origin where the app is hosted. So what you say above means this is incorrect? I will change it. https://developer.mozilla.org/en/Apps/Manifest Yes, let's do that! Our current implementation certainly takes * to be the default value if installs_allowed_from is omitted [1]. Cheers, -Anant [1] https://mxr.mozilla.org/mozilla-central/source/dom/base/Webapps.js#38 ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps
Re: installs_allowed_from and openness
On 5/23/2012 12:46 PM, Anant Narayanan wrote: On 05/23/2012 12:27 PM, Mark Giffin wrote: Anant, the current MDN docs for installs_allowed_from say the default is this: If omitted, installation may be triggered only from the origin where the app is hosted. So what you say above means this is incorrect? I will change it. https://developer.mozilla.org/en/Apps/Manifest Yes, let's do that! Our current implementation certainly takes * to be the default value if installs_allowed_from is omitted [1]. Cheers, -Anant [1] https://mxr.mozilla.org/mozilla-central/source/dom/base/Webapps.js#38 Fixed now. Mark ___ dev-webapps mailing list dev-webapps@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webapps