Re: [manifest] URL Scope to which the manifest applies (#114) from Marcos Caceres on 2014-12-10 (public-webapps-github@w3.org from December 2014)

From: Marcos Caceres <notifications@github.com>
Date: Tue, 09 Dec 2014 22:58:44 -0800
To: w3c/manifest <manifest@noreply.github.com>
Message-ID: <w3c/manifest/issues/114/66411909@github.com>

On November 17, 2014 at 10:09:22 AM, Ben Francis (notifications@github.com) wrote:
> > Why wouldn't a scope be needed for external domains?
>  
> One potential use case for scope is that an installed app could capture navigations to  
> URLs within the scope of the app and load them in the app instead of in a browser tab. This  
> would allow deep linking inside a web app.

True. But we've not experimented with this enough to know if scopes are the right thing here. 

> You don't want evilapp.com/manifest.json to claim that facebook.com is part of its  
> scope and then capture all of the user's navigations to Facebook.

Exactly. Hence the same origin restriction. 

> How do you safely prove  
> that another origin is part of the same app? As I understand it the Chrome Web Store uses  
> a centralised process using CNAME records to do this, but that doesn't scale very well  
> to the rest of the web. In my opinion, the maximum scope of a web app should be a single origin.  

Agree. 

> However, you still might want goodapp.com to use facebook.com/login for authentication. 

window.open()? 

> The idea of the "stay_in_app" property is that it can be used to enumerate third party  
> URLs which are not part of the app itself but are used by the app for something like third  
> party authentication.

Why is window.open() not sufficient? What am I missing? 

> The app will not capture navigations to those URLs, but if the  
> user is already in the context of the app and then navigate to one those URLs they will stay  
> in the app rather than being kicked out to the browser.

As above. 

> Jonas explains this more thoroughly in the thread linked to above.
>  
> > I still think it would be good to show some sign when moving to another domain (maybe ignoring  
> subdomains).
>  
> I agree that if an unbounded scope or a stay_in_app URL causes an app window to be navigated  
> away from its original origin, that the user should be made aware of the new origin they  
> just entered. I don't think subdomains can be assumed to be part of the same app though  
> because many shared hosting services used subdomains to separate sites.

Agree. For example, GitHub pages.  

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/114#issuecomment-66411909

Received on Wednesday, 10 December 2014 06:59:15 UTC