A packaged app is a Firefox OS app that has all of its resources (HTML, CSS, JavaScript, app manifest, and so on) contained in a zip file, instead of having its resources on a Web server. This article provides an introduction to packaged apps and links to everything you need to know about packaged apps from a developer standpoint.
A packaged app is zip file that contains all the resources that enable a Firefox OS app to function, along with an app manifest in the zip's root directory. The app manifest provides details about the app such as its description, icons used to identify the installed app and such. The package is then used to install the app to Firefox OS devices. Once installed the app runs on the device, but is still able to access resources on the Web, such as a database on a web server.
There are three types of packaged apps: web app, privileged app and internal app. While packaged apps can be used to deliver any type of app, privileged and internal apps are digitally signed to enable the use of privileged and internal (certified) APIs. Privileged apps are signed as part of the Marketplace review process, while internal apps are signed by device manufacturers or operators.
In addition to their ability to use privileged and internal (certified) APIs, packaged apps offer users a faster first start response as all the of the app's resources are available on the device after installation. These feature makes packaged apps the recommended approach for delivering apps to Firefox OS devices.
Types of packaged apps
There are three types of packaged apps: web apps, privileged apps and internal app. Each type of packaged app corresponds to a level of the App Security model implemented in Firefox OS. This section provides more information on each.
Web app
A web app is one that doesn't make use of privileged or internal (certified) APIs. When submitted to Marketplace the app's package is signed, but the special authentication process used for privileged or internal apps isn't performed. Web apps therefore cannot use privileged or internal APIs. These apps are not subject to the Content Security Policies (CSPs) required for privileged and internal apps.
This type of packaged app doesn't require the type
field in its manifest.webapp
file, because the default value for type
(web
) is correct.
Note: Web apps may be self-published or distributed through the Firefox Marketplace.
Note: Web apps can also be delivered using the Hosted app mechanism.
Privileged app
A privileged app is one that makes use of privileged APIs and can be considered as the equivalent of a native app on platforms such as iOS and Android. When submitted to the Firefox Marketplace, privileged apps are approved using a special process. This process gives users of the app a level of assurance that the app has been carefully reviewed for potential security, privacy, and capability issues.
To specify that an app is a privileged app, add the type
field to its manifest.webapp
file and set its value to privileged
. Every privileged API your app needs to access must be added to the permissions
field in the app's manifest.
Firefox OS and the Web runtimes for Android and desktops enforces the following CSP for privileged apps:
"default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
Note: Privileged apps may be distributed through the Firefox Marketplace only.
Internal apps
The creation of Internal apps is generally not available for third-party developers and aren't distributed through the Firefox Marketplace.
An internal app is one that makes use of internal (certified) APIs. These APIs offer access to critical system function such as the default dialer or the system settings app on a device. Compared to to a privileged app, all API permissions in an internal app are implicit, meaning they are enabled without explicit user approval. An internal app must be approved for a device by the OEM or carrier.
To specify that an app is an internal app, add the type
field to its manifest.webapp
file and set it to certified
. Every privileged and internal API your app needs to access must be added to the permissions
field in the app's manifest.
Firefox OS implements the following CSP for internal apps:
"default-src *; script-src 'self'; object-src 'none'; style-src 'self'"
This has the effect of implementing stricter rules for inline CSP for internal compared to privileged apps. If you want to understand the reasoning behind this, see Default CSP policy and Bug 768029.
Note: Internal apps are preloaded onto devices by OEMs and operators; they are not distributed in any other way.
Note: You may sometimes see internal apps referred to as certified apps, a term commonly used within Mozilla, OEMs and carriers.
Testing packaged apps
To install a packaged app into a Firefox OS Simulator or onto a device for testing purposes, use the WebIDE tool. Alternatively, you can install it on to a device from a Web server by following the steps described in Publishing apps yourself. Remember that when you publish apps yourself, packaged web apps only can be installed .
Publishing packaged apps
You have two options for publishing packaged apps: on Firefox Marketplace or self-publishing.
Publishing on Firefox Marketplace
The process for submitting a packaged app to Firefox Marketplace is described in the App Publishing section.
When you submit your packaged app, its zip file is stored on the Marketplace servers, and the Marketplace generates a new manifest called the mini-manifest that is based on the app manifest in your packaged app's zip file. When a user installs your app, the mini-manifest is passed to the Apps.installPackage()
function to install the app. The mini-manifest exists for installation and update purposes and isn't used when your app runs.
Publishing yourself
It's possible to publish packaged web apps outside Firefox Marketplace, on your own web server. Details are provided in Publishing apps yourself.
Updating packaged apps
For information on updating apps, see Updating apps.
See also