- From: Anssi Kostiainen <notifications@github.com>
- Date: Mon, 13 Apr 2015 07:02:34 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Message-ID: <w3c/manifest/issues/360/92366973@github.com>
@benfrancis Let me try to rephrase your proposal in terms of HTTP requests and responses. Some details omitted for brevity. Correct any misinterpretations.
Assumptions made for the currently unspecified `manifest-src` directive:
* `manifest-src *` permits cross-origin manifest fetch by default (in addition cross-origin manifest fetch response must have proper `Access-Control-Allow-Origin` header set)
* `manifest-src 'self'` enforces same-origin manifest fetch
* `manifest-src real-cdn.com` allows cross-origin manifests from real-cdn.com only
Example: evil-cdn.com hosts manifest.json. foo.com indicates it trusts real-cdn.com only to deliver a valid manifest. The UA considers manifest.json served from evil-cdn.com invalid since it violates foo.com's manifest-src directive.
Request foo.com:
```
GET / HTTP/1.1
Host: foo.com
Accept: */*
```
Response:
```
HTTP/1.1 200 OK
Content-Type: text/html
Content-Security-Policy: manifest-src real-cdn.com
<html>
<head>
<title>foo.com</title>
<link rel="manifest" href="http://evil-cdn.com/manifest.json">
</head>
<body>
</body>
</html>
```
Fetch of http://evil-cdn.com/manifest.json fails due to manifest-src violation, response would have been:
```
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://foo.com
Content-Type: application/manifest+json
{
"start_url": "http://foo.com/start.html"
...
}
```
@benfrancis Did I get your proposal right?
---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/360#issuecomment-92366973
Received on Monday, 13 April 2015 14:03:04 UTC