[manifest] RE: Manifest for web application; review deadline March 5

Hi, 

We support that this version of the specification is moved to Candidate status but we have a few comments/questions:

In this version 1 we miss:

* A "permissions" field
* A "content security policy field". This is only included as a way to state allowed origins from which the manifest file itself could be loaded. However, there is, in this first version, no CSP-field defined for the manifest document, allowing restriction of origins the web app could download scripts and other content types from. There is also a draft companion document, http://w3c.github.io/manifest-csp/, defining this CSP-member of the manifest.

We consider the above features important for allowing server hosted web apps access to more sensitive APIs and have been experimenting with this for FFOS:
https://lists.w3.org/Archives/Public/public-sysapps/2014Sep/att-0000/SoMC_FFOS_Trusted_Hosted_Apps.pdf. Accordingly we want to discuss these features for the further work on the manifest specification. 

We also would like to ask the WG if it has been discussed if https: transport should be required for downloading the manifest? Other specifications are moving towards requirement for https:. See for example the discussion https://lists.w3.org/Archives/Public/public-device-apis/2015Feb/0045.html. For the manifest version 1 this may not be critical but if above features are added the transport probably have to be protected. 

However, once again note that these comments do not prevent that we support that the current version of the manifest is moved to candidate status, I am just taking the opportunity state our views on the further work on the manifest specification.

Best regards

Claes Nilsson
Master Engineer - Web Research
Advanced Application Lab, Technology

Sony Mobile Communications
Tel: +46 70 55 66 878
claes1.nilsson@sonymobile.com

sonymobile.com




> -----Original Message-----
> From: Arthur Barstow [mailto:art.barstow@gmail.com]
> Sent: den 13 februari 2015 01:31
> To: public-webapps
> Subject: RfC: Manifest for web application; review deadline March 5
> 
> [ Bcc: public-webappsec, www-style, public-privacy, public-sysapps,
> public-digipub-ig, public-pfwg, public-web-mobile, www-international,
> chairs^1, public-review-announce; Reply-to: public-webapps ]
> 
> This is a Request for Comments (RfC) for WebApp's "Manifest for web
> application" specification:
> 
> <http://www.w3.org/TR/2015/WD-appmanifest-20150212/>
> 
> "This specification defines a JSON-based manifest that provides
> developers with a centralized place to put metadata associated with a
> web application."
> 
> This Working Draft is intended to meet the wide review requirements as
> defined in the 2014 Process Document. The deadline for comments is 5
> March 2015 and all comments should be sent to the public-webapps @
> w3.org mail list [Archive] with a Subject: prefix of "[manifest]". The
> next anticipated publication of this specification is a Candidate
> Recommendation. (See [CR-Plan] for the specification's Candidate
> Recommendation status.)
> 
> WebApps welcomes review and comments from all individuals and/or groups
> and we explicitly ask the following groups to review the document and
> to submit comments: WebAppSec, CSS WG (in particular, the "display
> mode"
> media feature), PING, SysApps, Digital Publishing IG, WAI (PF, User
> Agent, Authoring Tools), and I18N WG.
> 
> In addition to substantive comments, to help us get a sense of how much
> review the document receives, we also welcome data about "silent
> reviews", f.ex. "I reviewed section N.N and have no comments".
> 
> -Thanks, AB
> 
> ^1 RfC is the new LCWD TransAnn
> [CR-Plan] <https://github.com/w3c/manifest/issues/308>
> [Archive] <https://lists.w3.org/Archives/Public/public-webapps/>
> 
> 

Received on Thursday, 5 March 2015 15:46:58 UTC