Bug 1077529 - Update Trusted Hosted Apps r=fabrice

Verify manifest of trusted hosted app on update instead of just overwriting it. --- dom/apps/TrustedHostedAppsUtils.jsm | 8 ++++---- dom/apps/Webapps.jsm | 26 +++++++++++++++++++++----- 2 files changed, 25 insertions(+), 9 deletions(-)
2024-09-13 09:24:08 -07:00 · 2014-10-14 12:28:16 -07:00 · 2014-10-14 12:28:16 -07:00 · 3322f49403
commit 3322f49403
parent a2fcf407bf
2 changed files with 25 additions and 9 deletions
--- a/dom/apps/TrustedHostedAppsUtils.jsm
+++ b/dom/apps/TrustedHostedAppsUtils.jsm
@ -254,19 +254,19 @@ this.TrustedHostedAppsUtils = {
    return deferred.promise;
  },

-  verifyManifest: function(aData) {
+  verifyManifest: function(aApp, aAppId, aManifest) {
    return new Promise((resolve, reject) => {
      // sanity check on manifest host's CA (proper CA check with
      // pinning is done by regular networking code)
-      if (!this.isHostPinned(aData.app.manifestURL)) {
+      if (!this.isHostPinned(aApp.manifestURL)) {
        reject("TRUSTED_APPLICATION_HOST_CERTIFICATE_INVALID");
        return;
      }
-      if (!this.verifyCSPWhiteList(aData.app.manifest.csp)) {
+      if (!this.verifyCSPWhiteList(aManifest.csp)) {
        reject("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
        return;
      }
-      this.verifySignedManifest(aData.app, aData.appId).then(resolve, reject);
+      this.verifySignedManifest(aApp, aAppId).then(resolve, reject);
    });
  }
 };
--- a/dom/apps/Webapps.jsm
+++ b/dom/apps/Webapps.jsm
@ -2001,8 +2001,24 @@ this.DOMApplicationRegistry = {
          } else {
            // Update only the appcache if the manifest has not changed
            // based on the hash value.
-            this.updateHostedApp(aData, id, app, oldManifest,
-                                 oldHash == hash ? null : manifest);
+            if (oldHash == hash) {
+              debug("Update - oldhash");
+              this.updateHostedApp(aData, id, app, oldManifest, null);
+              return;
+            }
+
+            // For hosted apps and hosted apps with appcache, use the
+            // manifest "as is".
+            if (this.kTrustedHosted !== this.appKind(app, app.manifest)) {
+              this.updateHostedApp(aData, id, app, oldManifest, manifest);
+              return;
+            }
+
+            // For trusted hosted apps, verify the manifest before
+            // installation.
+            TrustedHostedAppsUtils.verifyManifest(app, id, manifest)
+              .then(() => this.updateHostedApp(aData, id, app, oldManifest, manifest),
+                sendError);
          }
        }
      } else if (xhr.status == 304) {
@ -2326,8 +2342,8 @@ this.DOMApplicationRegistry = {
          installApp();
          return;
        }
-        TrustedHostedAppsUtils.verifyManifest(aData)
-        	.then(installApp, sendError);
+        TrustedHostedAppsUtils.verifyManifest(aData.app, aData.appId, app.manifest)
+          .then(installApp, sendError);
      } else {
        debug("Installed manifest check failed");
        // checkManifest() sends error before return
@ -2361,7 +2377,7 @@ this.DOMApplicationRegistry = {
          }

          debug("App kind: " + this.kTrustedHosted);
-          TrustedHostedAppsUtils.verifyManifest(aData)
+          TrustedHostedAppsUtils.verifyManifest(aData.app, aData.appId, app.manifest)
            .then(installApp, sendError);
          return;
        } else {