Re: [w3c/manifest] Add a unique identifier for a PWA (#586) from Daniel Murphy on 2020-08-06 (public-webapps-github@w3.org from August 2020)

From: Daniel Murphy <notifications@github.com>
Date: Thu, 06 Aug 2020 12:36:37 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/586/670152604@github.com>

> @dmurph wrote:
> 
> > I do think that there is one big downside for using manifest_url as the ID - this means that a manifest wouldn't be inherently 'packaged' by itself. Like - you couldn't install an app just from a manifest without that manifest url (or the id being specified).
> 
> I personally think that's a good thing because trust in the origin a manifest was retrieved from is surely an important factor in the implict permissions a user grants by installing a web application? It also makes the app more [linkable and discoverable](https://infrequently.org/2015/06/progressive-apps-escaping-tabs-without-losing-our-soul/) if the ID actually dereferences to something.

I guess I don't see the host of the manifest being the source of truth, I see it being the origin of the start_url / the implied scope. Technically someone right now can host a manifest (B.com) that lists A.com as the start url, and that just works.

> 
> > it is difficult to fake for the 'webapp'ing that current browsers do. Right now, you can create a fake manifest for a site and just set the start_url to the url that is being shown, and bam, webapp. But if manifest_url becomes the unique ID, and systems are designed around that, then that becomes more complicated.
> 
> For a hack like a fake manifest, which won't be following the specification anyway, could browsers generate a special cased local URL like chrome://apps/myfakeapp.webmanifest ?

yeah that might work

> 
> > they [two manifests providing the same ID] would be the same webapp
> 
> That would presumably make https://foo.github.io/repo1/app1.webmanifest and https://foo.github.io/repo2/app2.webmanifest (or https://google.com/calendar/app.webmanifest and https://google.com/mail/app.webmanifest) the same app, if they provided the same ID.
> 
> That arguably isn't a huge issue as the origin is ultimately the trust boundary, but it could be a bit of a footgun.

Yeah, but fixable by the developers at least. I think that is a much easier problem to avoid than the current situation, where they can unknowingly segment their users w/o obvious problems initially



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/586#issuecomment-670152604

Received on Thursday, 6 August 2020 19:36:49 UTC