diff --git a/dom/apps/TrustedHostedAppsUtils.jsm b/dom/apps/TrustedHostedAppsUtils.jsm
index 44031951907..37cfbbe078b 100644
--- a/dom/apps/TrustedHostedAppsUtils.jsm
+++ b/dom/apps/TrustedHostedAppsUtils.jsm
@@ -254,19 +254,19 @@ this.TrustedHostedAppsUtils = {
     return deferred.promise;
   },
 
-  verifyManifest: function(aData) {
+  verifyManifest: function(aApp, aAppId, aManifest) {
     return new Promise((resolve, reject) => {
       // sanity check on manifest host's CA (proper CA check with
       // pinning is done by regular networking code)
-      if (!this.isHostPinned(aData.app.manifestURL)) {
+      if (!this.isHostPinned(aApp.manifestURL)) {
         reject("TRUSTED_APPLICATION_HOST_CERTIFICATE_INVALID");
         return;
       }
-      if (!this.verifyCSPWhiteList(aData.app.manifest.csp)) {
+      if (!this.verifyCSPWhiteList(aManifest.csp)) {
         reject("TRUSTED_APPLICATION_WHITELIST_VALIDATION_FAILED");
         return;
       }
-      this.verifySignedManifest(aData.app, aData.appId).then(resolve, reject);
+      this.verifySignedManifest(aApp, aAppId).then(resolve, reject);
     });
   }
 };
diff --git a/dom/apps/Webapps.jsm b/dom/apps/Webapps.jsm
index f9669c60b76..bcd4b0e9476 100755
--- a/dom/apps/Webapps.jsm
+++ b/dom/apps/Webapps.jsm
@@ -2001,8 +2001,24 @@ this.DOMApplicationRegistry = {
           } else {
             // Update only the appcache if the manifest has not changed
             // based on the hash value.
-            this.updateHostedApp(aData, id, app, oldManifest,
-                                 oldHash == hash ? null : manifest);
+            if (oldHash == hash) {
+              debug("Update - oldhash");
+              this.updateHostedApp(aData, id, app, oldManifest, null);
+              return;
+            }
+
+            // For hosted apps and hosted apps with appcache, use the
+            // manifest "as is".
+            if (this.kTrustedHosted !== this.appKind(app, app.manifest)) {
+              this.updateHostedApp(aData, id, app, oldManifest, manifest);
+              return;
+            }
+
+            // For trusted hosted apps, verify the manifest before
+            // installation.
+            TrustedHostedAppsUtils.verifyManifest(app, id, manifest)
+              .then(() => this.updateHostedApp(aData, id, app, oldManifest, manifest),
+                sendError);
           }
         }
       } else if (xhr.status == 304) {
@@ -2326,8 +2342,8 @@ this.DOMApplicationRegistry = {
           installApp();
           return;
         }
-        TrustedHostedAppsUtils.verifyManifest(aData)
-        	.then(installApp, sendError);
+        TrustedHostedAppsUtils.verifyManifest(aData.app, aData.appId, app.manifest)
+          .then(installApp, sendError);
       } else {
         debug("Installed manifest check failed");
         // checkManifest() sends error before return
@@ -2361,7 +2377,7 @@ this.DOMApplicationRegistry = {
           }
 
           debug("App kind: " + this.kTrustedHosted);
-          TrustedHostedAppsUtils.verifyManifest(aData)
+          TrustedHostedAppsUtils.verifyManifest(aData.app, aData.appId, app.manifest)
             .then(installApp, sendError);
           return;
         } else {