W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: App Manifest & API Proposal

From: Anant Narayanan <anant@mozilla.com>
Date: Mon, 14 May 2012 09:44:06 -0700
Message-ID: <4FB13656.1000109@mozilla.com>
To: public-webapps <public-webapps@w3.org>
On 5/13/12 2:17 PM, SULLIVAN, BRYAN L wrote:
> For (1) we can expect a text change, right?

Yes, I will make them as soon as I able to.

> For (2), If the app manifest if obtained over non-secure HTTP, it is subject to modification. If the app is delivered over non-secure HTTP, even more can be modified. So is the plan to provide some kind of user warning when the manifest and/or app (including assets from the same origin) are delivered via non-secure HTTP (in the absence of a manifest signature)? And even if a manifest signature is provided how does it ensure protection of the assets (e.g. JS, CSS, and HTML) if they are delivered over non-secure HTTP? Does HTTPS need to be enforced, and cert domain validation as well?

We've previously discussed enforcing serving manifests over HTTPS, but 
it may not be appropriate to put this into the spec itself. Different 
user agents may choose to do different things, ranging from disallowing 
installs over HTTP or warning the user before proceeding.

Regards,
-Anant
Received on Monday, 14 May 2012 16:44:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT