diff --git a/mkt/ecosystem/templates/ecosystem/build_app_generator.html b/mkt/ecosystem/templates/ecosystem/build_app_generator.html index d755623852..8b5c96fb05 100644 --- a/mkt/ecosystem/templates/ecosystem/build_app_generator.html +++ b/mkt/ecosystem/templates/ecosystem/build_app_generator.html @@ -59,7 +59,7 @@

{{ _('What you get:') }}

+ +
{{ _('Certified app') }}
+
+ {%- trans %} + A certified app is intended for a critical system function + like the default dialer or the system settings app on a + smartphone. This type of app would be used for critical + functions on a Firefox OS phone. It is not intended for third + party apps, so most app developers can disregard this type of + app. A certified app is a packaged app that is similar to a + privileged app, except that all device permissions are + implicit, meaning they do not require explicit user approval. + A certified app must be approved for a device by the OEM or + carrier in order to have this implicit approval to use + critical APIs. The following is the CSP for a certified app, + which is slightly different from the CSP for a privileged + app: + {% endtrans -%} + 
+              "default-src *; script-src 'self'; object-src 'none'; style-src 'self'"
+
+ {%- trans url_default_csp='https://wiki.mozilla.org/Apps/Security#Default_CSP_policy', + url_bug='https://bugzilla.mozilla.org/show_bug.cgi?id=768029' %} + This has the effect of slightly looser rules for inline CSP + for privileged apps when compared to certified apps. If you + want more of the reasoning behind this, see Default CSP policy and Bug 768029.
-
Plain packaged app
-
+ {% endtrans -%} +
{{ _('Plain packaged app') }}
+
+ {%- trans %} You can also make a regular app that is simply packaged in a zip file. The Marketplace signs it, but does not perform the - special authentication process used for privileged or certified - apps. This plain packaged app cannot use certain sensitive Web - APIs. It is not subject to the CSPs described for privileged - and certified apps. -
- - {% endtrans -%} + special authentication process used for privileged or + certified apps. This plain packaged app cannot use certain + sensitive Web APIs. It is not subject to the CSPs described + for privileged and certified apps. + {% endtrans -%} + +

{{ _('Differences from hosted apps') }}

- {%- trans url='//developer.mozilla.org/docs/Security/CSP/Introducing_Content_Security_Policy' %} + {%- trans %} Packaged apps have the same capabilites as normal website-style Open Web Apps ("hosted" apps), but packaged apps have a few differences: -

{%- trans %} @@ -172,6 +204,7 @@

{{ _('Using sensitive Web APIs') }}

+ {# L10n: Do not localize text in #} {%- trans url='//developer.mozilla.org/docs/Apps/Manifest' %} There are Web APIs that could be used maliciously, so access to them must be controlled. For every sensitive API you want your @@ -190,6 +223,7 @@

{{ _('Packaged apps and the Firefox Marketplace') }}

+ {# L10n: Do not localize text in #} {%- trans %} The Firefox Marketplace handles packaged apps differently from hosted apps. When you submit your packaged app, its zip file is @@ -233,6 +267,7 @@ {% endtrans -%}

  • + {# L10n: Do not localize text in #} {%- trans %} Get your server's IP address and use it in place of <server-ip> in the examples @@ -245,6 +280,7 @@

    {{ _('Steps') }}

    1. + {# L10n: Do not localize text in #} {%- trans %} Have your packaged app's zip file available and give it the name package.zip. This file contains all the app's @@ -252,6 +288,7 @@ {% endtrans -%}
    2. + {# L10n: Do not localize text in #} {%- trans url='#mini-manifest-fields' %} Create a file called package.manifest and give it the contents below. This is a mini-manifest used for packaged app @@ -263,6 +300,7 @@ {% endtrans -%}
    3. + {# L10n: Do not localize text in #} {%- trans %} Create a file named install.html with the following contents. This contains the JavaScript that calls the packaged @@ -272,6 +310,7 @@ {% endtrans -%}
    4. + {# L10n: Do not localize text in #} {%- trans %} Copy package.zip, package.manifest, and install.html into the Web server's document root @@ -279,6 +318,7 @@ {% endtrans -%}
    5. + {# L10n: Do not localize text in #} {%- trans %} Use the browser on the phone to open http://<server-ip>/install.html @@ -288,6 +328,7 @@

    + {# L10n: Do not localize text in #} {%- trans url='//developer.mozilla.org/docs/Apps/Manifest#type' %} Note: If you want to test certified app APIs (described above), turn on "developer mode" on the device you want @@ -304,6 +345,7 @@ {% endtrans -%}

    + {# L10n: Do not localize text in #} {%- trans url='//developer.mozilla.org/docs/Apps/Manifest' %} When the Firefox OS Marketplace generates a mini-manifest for your app, it pulls information from your app's manifest for some of the @@ -321,41 +363,50 @@ Here is information on the mini-manifest that relates to using it locally for your own testing: {% endtrans -%} - {%- trans %} -

    -
    name
    -
    +
    +
    name
    +
    + {%- trans %} (required) The app's name. Maximum length is 128 characters. -
    -
    package_path
    -
    + {% endtrans -%} +
    +
    package_path
    +
    + {%- trans %} (required) A full URL where the app's zip file can be found. -
    -
    version
    -
    The version of the app.
    -
    size
    -
    + {% endtrans -%} +
    +
    version
    +
    {{ _('The version of the app.') }}
    +
    size
    +
    + {%- trans %} The size of the app's zip file in bytes. This is not necessary for local testing, but provide it to get a progressbar during installation. -
    -
    release_notes
    -
    + {% endtrans -%} +
    +
    release_notes
    +
    + {%- trans %} Information about this release of the app. On the Marketplace this information comes from a Web page that is part of the submission process. -
    -
    developer
    -
    - Information about the developer, contains the name - and url fields. -
    -
    locales
    -
    Localization information.
    -
    icons
    -
    Icons for use by the app.
    -
    - {% endtrans -%} + {% endtrans -%} +
    +
    developer
    +
    + {# L10n: Do not localize text in #} + {%- trans %} + Information about the developer, contains the + name and url fields. + {% endtrans -%} +
    +
    locales
    +
    {{ _('Localization information.') }}
    +
    icons
    +
    {{ _('Icons for use by the app.') }}
    +

    {{ _('Updating packaged apps') }}

    diff --git a/mkt/ecosystem/templates/ecosystem/publish_review.html b/mkt/ecosystem/templates/ecosystem/publish_review.html index 6b635a4502..24e22a122c 100644 --- a/mkt/ecosystem/templates/ecosystem/publish_review.html +++ b/mkt/ecosystem/templates/ecosystem/publish_review.html @@ -91,6 +91,7 @@ {% endtrans -%}

  • + {# L10n: Do not localize text in #} {%- trans %} The app manifest must be served a Content-Type header of application/x-web-app-manifest+json. @@ -243,22 +244,26 @@ {% endtrans -%}
  • - {%- trans url='https://github.com/mozilla-b2g/gaia/issues/2557' %} + {%- trans %} The app must implement its own method of navigation and not rely on browser chrome or a hardware back button, which will not be present on every device. - {% endtrans -%} +
  • {%- trans %} @@ -280,28 +285,33 @@ from the app review team to communicate what's going on and get the problem resolved. Specific examples of situations where blocklisting is warranted include: -