- From: Ben Francis <notifications@github.com>
- Date: Mon, 13 Apr 2015 07:49:59 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Message-ID: <w3c/manifest/issues/360/92387325@github.com>
@anssiko Actually I think all of what you just wrote is already covered by the Content Security Policy section in the spec http://w3c.github.io/manifest/#content-security-policy but it is currently redundant due to the same-origin restriction recently added. What I'm proposing is that the CSP header also be used at runtime to prevent pages being rendered inside an application context with an unauthorised manifest applied. For example, the application context of an app installed from a manifest at http://evil-cdn.com/manifest.json could not render a page from http://foo.com/index.html which included an HTTP header like "Content-Security-Policy: manifest-src real-cdn.com". This idea is that this makes the manifest less dependent on the page it was installed from, and more of a useful resource in its own right. That allows for use cases like installing an app directly from its manifest URL (using some internal installation mechanism in the user agent). Like with embedding web pages in iframes, the default would be that it is permitted, but a developer can opt-in to protecting their content being installed via an externally defined manifest. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/360#issuecomment-92387325
Received on Monday, 13 April 2015 14:50:29 UTC