Intro to manifests

  • Revision slug: Web/Apps/Quickstart/Build/Intro_to_manifests
  • Revision title: Intro to manifests
  • Revision id: 474151
  • Created:
  • Creator: chrisdavidmills
  • Is current revision? No
  • Comment

Revision Content

This article provides all the basic information you need to know about working with open web app manifest files.

Why does my app need an app manifest?
The app manifest provides useful information about an app (such as name, author, icon, and description) in a simple document usable by both users and app stores. Most importantly, it will contain a list of Web APIs (such as geolocation) that your App needs. This allows users to make informed decisions about apps before installing them.
Is the Open Web app manifest the same thing as the manifest used for Google Chrome extensions and installable web apps? Or the W3C Widgets manifest? Or the HTML5 cache manifest?
No to all of these. The Open Web app manifest is probably most similar to the Google manifest, but they are not identical. It is hoped that the Open Web apps manifest will become a standard.
What is an origin?
The origin of an app is the protocol, domain, and port of the URL together. Each of the following URLs is a different origin:
  • http://example.com
  • http://example.com:8080 (different port)
  • https://example.com (different protocol)
  • http://www.example.com
  • http://myapp.example.com (subdomain)
The following URLs are the same origin:
  • http://Example.com:80
  • http://example.com
The following URLs are the same origin:
  • http://example.com/drawingApp
  • http://example.com/notesApp
Why do I have to host the app manifest at the same origin as my app?
We assume that only you can host an app manifest at the same origin as your app. This means your users can install your app with confidence, knowing that the installation is based on your app manifest and not someone else's. Users should have this confidence whether they're installing your app from Firefox OS Marketplace, from some other app store, or from your own website if you are self-publishing your app.
If the app manifest were not hosted at the same origin as the app itself, there would be nothing to prevent third parties from making apps directly out of content hosted at your origin. Even worse, third parties could create an app manifest using your branding that would trick users into installing an app that was a facade for stealing passwords or other improper behavior.
Does this mean I can't embed images or JavaScript from other origins?
No. The origin restriction is on content (HTML pages) only. Images and other embedded resources can be located elsewhere (for example, on a content delivery network), except for the app's icon, which must be served from the app's origin.
Can I have more than one app at my origin?
No, there can be only one app per origin. If multiple apps were allowed for a single origin, they would live in a single web sandbox — they could examine each other's localStorage, do Ajax requests to each other's APIs, or even steal access to privileged APIs that should have been granted to only one of the apps. This would be especially dangerous for domains that publish user-generated content from many users.
We recommend that you use a separate subdomain for each of your apps. For example, spreadsheet.mycoolapps.com for one app and texteditor.mycoolapps.com for another. For more information, see Adding a subdomain for an app.
Many resources and permissions on the Web are already scoped to a single origin. By defining an app and an origin as the same thing we use the same security restrictions that are used elsewhere on the Web and in HTML5.
Why not just upload the app manifest directly to the Firefox OS Marketplace?
There are several benefits to hosting the manifest at your domain and providing the app manifest URL to the Marketplace:
  • We intend that the Marketplace (and other app stores) will periodically revisit all the app manifests at the provided URLs and check them for updates. This avoids the need for you to re-upload your app manifest for each update.
  • The Marketplace will pass both the original app manifest contents as well as its URL to the user's device. This allows the device to check for unexpected changes in the app manifest that might indicate tampering. This will be especially important for apps that use Web APIs (for geolocation for example).
Note: As of this writing, we are still designing a process by which the Marketplace will pass an updated app manifest to the user's device.
Why does my Web server have to use the proper HTTP Content-Type header when serving my app manifest?
This restriction prevents users of a website that allows user-generated content (for example, a pastebin site) from inadvertently or inappropriately claiming that entire website as their app.
Should I use HTTPS to serve my app manifest?
Yes, it is a good idea. We anticipate that the Firefox OS Marketplace will require any app using Web APIs (such as geolocation) to serve its app manifest over HTTPS as an additional defense against man-in-the-middle attacks. If you use HTTPS for your manifest, you must also use it for all the pages on your site.
What if someone else submits my app to the Firefox OS Marketplace?
In the unfortunate event that someone guesses the URL to your app manifest and submits it to the Firefox OS Marketplace before you do, please file a complaint with the Marketplace support team.

See also

App manifest

Revision Source

<p>This article provides all the basic information you need to know about working with open web app manifest files.</p>
<dl>
  <dt>
    Why does my app need an app manifest?</dt>
  <dd>
    The app manifest provides useful information about an app (such as name, author, icon, and description) in a simple document usable by both users and app stores. Most importantly, it will contain a list of <a href="//developer.mozilla.org/docs/WebAPI">Web APIs</a> (such as <a href="//developer.mozilla.org/docs/Using_geolocation">geolocation</a>) that your App needs. This allows users to make informed decisions about apps before installing them.</dd>
  <dt>
    Is the Open Web app manifest the same thing as the manifest used for Google Chrome extensions and installable web apps? Or the W3C Widgets manifest? Or the HTML5 <a href="//developer.mozilla.org/docs/Using_Application_Cache">cache manifest</a>?</dt>
  <dd>
    No to all of these. The Open Web app manifest is probably most similar to the Google manifest, but they are not identical. It is hoped that the Open Web apps manifest will become a standard.</dd>
  <dt>
    What is an origin?</dt>
  <dd>
    The origin of an app is the protocol, domain, and port of the URL together. Each of the following URLs is a different origin:
    <ul>
      <li><code>http://example.com</code></li>
      <li><code>http://example.com:8080</code> (different port)</li>
      <li><code>https://example.com</code> (different protocol)</li>
      <li><code>http://www.example.com</code></li>
      <li><code>http://myapp.example.com</code> (subdomain)</li>
    </ul>
  </dd>
  <dd>
    The following URLs are the same origin:
    <ul>
      <li><code>http://Example.com:80</code></li>
      <li><code>http://example.com</code></li>
    </ul>
  </dd>
</dl>
<dl>
  <dd>
    The following URLs are the same origin:
    <ul>
      <li><code>http://example.com/drawingApp</code></li>
      <li><code>http://example.com/notesApp</code></li>
    </ul>
  </dd>
</dl>
<dl>
  <dt>
    Why do I have to host the app manifest at the same origin as my app?</dt>
  <dd>
    We assume that only you can host an app manifest at the same origin as your app. This means your users can install your app with confidence, knowing that the installation is based on your app manifest and not someone else's. Users should have this confidence whether they're installing your app from Firefox OS Marketplace, from some other app store, or from your own website if you are self-publishing your app.</dd>
  <dd>
    If the app manifest were not hosted at the same origin as the app itself, there would be nothing to prevent third parties from making apps directly out of content hosted at your origin. Even worse, third parties could create an app manifest using your branding that would trick users into installing an app that was a facade for stealing passwords or other improper behavior.</dd>
  <dt>
    Does this mean I can't embed images or JavaScript from other origins?</dt>
  <dd>
    No. The origin restriction is on content (HTML pages) only. Images and other embedded resources can be located elsewhere (for example, on a content delivery network), except for the app's icon, which must be served from the app's origin.</dd>
  <dt>
    Can I have more than one app at my origin?</dt>
  <dd>
    No, there can be only one app per origin. If multiple apps were allowed for a single origin, they would live in a single web sandbox — they could examine each other's localStorage, do Ajax requests to each other's APIs, or even steal access to privileged APIs that should have been granted to only one of the apps. This would be especially dangerous for domains that publish user-generated content from many users.</dd>
  <dd>
    We recommend that you use a separate subdomain for each of your apps. For example, <code>spreadsheet.mycoolapps.com</code> for one app and <code>texteditor.mycoolapps.com</code> for another. For more information, see <a href="//developer.mozilla.org/docs/Apps/Adding_a_subdomain">Adding a subdomain for an app</a>.</dd>
  <dd>
    Many resources and permissions on the Web are already scoped to a single origin. By defining an app and an origin as the same thing we use the same security restrictions that are used elsewhere on the Web and in HTML5.</dd>
  <dt>
    Why not just upload the app manifest directly to the Firefox OS Marketplace?</dt>
  <dd>
    There are several benefits to hosting the manifest at your domain and providing the app manifest URL to the Marketplace:
    <ul>
      <li>We intend that the Marketplace (and other app stores) will periodically revisit all the app manifests at the provided URLs and check them for updates. This avoids the need for you to re-upload your app manifest for each update.</li>
      <li>The Marketplace will pass both the original app manifest contents as well as its URL to the user's device. This allows the device to check for unexpected changes in the app manifest that might indicate tampering. This will be especially important for apps that use Web APIs (for geolocation for example).</li>
    </ul>
    <strong>Note:</strong> As of this writing, we are still designing a process by which the Marketplace will pass an updated app manifest to the user's device.</dd>
  <dt>
    Why does my Web server have to use the proper HTTP <code>Content-Type</code> header when serving my app manifest?</dt>
  <dd>
    This restriction prevents users of a website that allows user-generated content (for example, a pastebin site) from inadvertently or inappropriately claiming that entire website as their app.</dd>
  <dt>
    Should I use HTTPS to serve my app manifest?</dt>
  <dd>
    Yes, it is a good idea. We anticipate that the Firefox OS Marketplace will require any app using Web APIs (such as geolocation) to serve its app manifest over HTTPS as an additional defense against man-in-the-middle attacks. If you use HTTPS for your manifest, you must also use it for all the pages on your site.</dd>
  <dt>
    What if someone else submits my app to the Firefox OS Marketplace?</dt>
  <dd>
    In the unfortunate event that someone guesses the URL to your app manifest and submits it to the Firefox OS Marketplace before you do, please file a complaint with the Marketplace support team.</dd>
</dl>
<h2 id="See_also">See also</h2>
<p><a href="/en-US/docs/Web/Apps/Manifest">App manifest</a></p>
Revert to this revision