Guidelines for App Approval

These are the guidelines we use when deciding whether to make your app visible to other Yahoo! Mail Users. You should check that your app follows these guidelines before submitting it for review.

Technical Guidelines

  1. Use a cross-browser javascript library like YUI3. Yahoo! Mail is built with YUI3, so if you use YUI3, many modules will already be in the browser cache. We also have enough YUI3 experts around to answer tough questions. That said, the big point is to use a library that saves you from having to worry about a lot of cross-browser warts.
  2. Use the latest om-min.js. The Memories Sample App will always be kept up to date with the latest om-min.js. Have a look at the <script> tags at the top of its views/main.html
  3. Favor semantic markup to separate content from presentation.
  4. Don't use /Yahoo/i in variable or function names.
  5. Don't use global variables.
  6. Stay out of the YAHOO and Y namespaces.
  7. Test against these browser and OS combinations
    • Chrome GA & beta - Win 7
    • FF 3.6, GA, & beta – Win 7
    • IE7 – XP
    • IE8, IE9, IE Beta – Win 7
    • Safari GA - MacOS

Security Guidelines

  1. Don't redirect the application's iframe.
  2. Don't insert iframes that point to non-Yahoo! servers.
  3. Externally-hosted JSON must be validated. Do so with YUI3's Y.JSON.parse or equivalent. Don't use eval().
  4. No externally-hosted javascript, including 'jsonp'. Javascript must be hosted on Yahoo! as an asset for your app.
  5. Externally-hosted HTML must be filtered by filterHTML. This filtering function will strip unsafe or unrecoginized constructs. Any externally-generated HTML content (even if delivered inside JSON) must be sanitized by this function before you inject it into the DOM.
  6. No externally-hosted CSS. You may include inline css in externally-hosted HTML if the externally-hosted HTML is passed through filterHTML.
  7. Don't ask for usernames or passwords. Your app may not ask the user to enter a username or password to a Yahoo! or third-party site. Use OAuth for authenticated endpoint access.
  8. Flash component restrictions. If you use flash, you must serve your flash components using <EMBED> tags and not <OBJECT> tags and set wmode to opaque or transparent. You must also either: serve your flash components as assets with allowScriptAccess set to never|sameDomain or (if served from your own CDN), set allowScriptAccess to never.
  9. With the exception of third-party user-generated content, you must have intellectual property rights to any content, code, or other materials displayed.
  10. User-generated content. You may display third-party user-generated content only if you implement a compliant Digital Millennium Copyright Act (DMCA) notice and takedown policy and process or an equivalent policy that is compliant with local laws to ensure that users can report infringing content.
  11. Don't get or set document.cookie.
  12. Protect access to user data on remote web services.
    13. Use OAuth
  13. Remote servers may not retrieve, access, or store the referrer HTTP header.

SSL Guidelines

Yahoo! Mail supports access via SSL. When a user is accessing mail via SSL, apps must serve everything with SSL in order to avoid mixed-content warnings.

  1. om-min.js URLs will be automagically rewritten to use the correct protocol depending on whether the user is connecting over HTTP or HTTPS. This only works if you are using the latest version of om-min.
  2. Asset URLs will use HTTP or HTTPS correctly without any changes from the developer.
  3. For externally-hosted content, consider using protocol-less URLs. Otherwise, either use https all the time or programatically switch depending on isSSL.
  4. When testing with IE8, say "yes" when asked whether to only show secure content.
  5. If debugging using a proxy like Charles or Fiddler, enable https traffic decrypting or you won't see any of the requests.
  6. If you add a link or script tag using document.write before the window.onload event fires, it won't work in https. Use regular DOM methods (e.g. appendChild) to append the node instead.

Performance

  1. Make a lightweight launch. Your app should start quickly, minimally showing a "loading" UI within the first 300ms.
  2. Combo-load and compress assets. Use ymdt's support for server-side asset compression and combo-loading. Don't minify assets yourself so that we can easily review your app code.
  3. YUI3. If you use YUI3, serve it from yui.yahooapis.com instead of making a copy in your assets directory. Combo-load where possible.
  4. No fast polling. For example, don't do this: setTimeout(f,10)

User Experience

  1. Use a fluid presentation that can accommodate subtle width and height variations.
  2. Content within an app's views must not "float" or "break through" to parts of Yahoo! Mail.
  3. Animation, video, and audio shouldn't auto-play unless the user opts-in to that behavior.
  4. Be prepared to internationalize.
  5. Icon.
    6. Put a 16x16px icon.png in your app source's base directory. This will be shown in the application list when your app is installed. Pure white will be forced to transparent.
  6. Gallery Images. Put a 64x64px thumbnail.png in your app source's base directory. This will be show in the gallery margin. Put a 300x250px full.png in your app source's base directory. This will be shown in the gallery when the user expands the app description.
  7. If your app requires Flash, fail gracefully when Flash isn't intalled.
  8. Themes. Users can change Yahoo! Mail's theme via the Options menu. Your app should either be theme-neutral or coordinate with Yahoo! Mail's theme at launch via the getParameters callback's themeinfo response member. Also, coordinate with dynamic theme changes by listening for the themes:change event.

Support & Community

Ask questions and share insights on our forum.