- From: Ivan Herman <notifications@github.com>
- Date: Thu, 23 Jun 2016 02:41:17 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc:
- Message-ID: <w3c/manifest/issues/471/228000130@github.com>
> On 23 Jun 2016, at 11:33, Marcos Cáceres <notifications@github.com> wrote: > > Will take a look! thanks for the pointer. Please be warned that you shouldn't mess with how to obtain a manifest, as it's carefully designed to work with the security model of the Web (i.e., it's not just JSON you can just grab.... CORS and CSP play a role, and there are a bunch of security restrictions, etc. that it took a long time to work through). That's why the manifest spec only allows you to add and process simple values, but doesn't let you interface with how to obtain a manifest or other moving parts. > I think there are to major differences. One is that we also consider manifests (ie, JSON content) embedded in the HTML content using a <script> element, and we also have to consider (but that may be special to the publishing world) when the manifest is included in a packaged content entirely (ie, a packaged book). The latter is probably specific to publishing; I hope that none of these two lead to special security issues. But I am sure you have more experience with that than we have. The other difference is that we consider situations when manifests are combined, ie, it is not that the content is always in one place; that may again be the consequence of the publishing world, where some metadata may be published via a different workflow than the main content. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/471#issuecomment-228000130
Received on Thursday, 23 June 2016 09:42:03 UTC