- From: Ben Francis <notifications@github.com>
- Date: Fri, 10 Apr 2015 12:37:45 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Message-ID: <w3c/manifest/issues/360/91661289@github.com>
One reason for requiring a manifest be same-origin with the web app is to prevent someone creating an "app" for someone else's content without their knowledge. Are there other ways we could prevent this which don't render manifests useless as a standalone resource? This might be a bit of a hack but... What if "Content-Security-Policy: manifest-src self" could be used to prevent others creating apps for your content in the same way that "X-Frame-Options: SAMEORIGIN" prevents others from framing your content. e.g. : * An application context has a manifest applied from http://evil-cdn.com/manifest.json * The manifest contains a start_url of http://foo.com/start.html * The application context is navigated to http://foo.com/start.html * The HTTP response of http://foo.com/start.html contains a header "Content-Security-Policy: manifest-src real-cdn.com" * The application context refuses to render start.html because http://evil-cdn.com/manifest.json does not match real-cdn.com This would allow start_url could be resolved against the manifest URL instead of document URL, cross-origin manifests could use an absolute URL. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/360#issuecomment-91661289
Received on Friday, 10 April 2015 19:38:12 UTC