- From: Ben Francis <notifications@github.com>
- Date: Thu, 30 Apr 2015 08:47:23 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Message-ID: <w3c/manifest/issues/272/97845875@github.com>
> Make manifest metadata authoritative (a user agent ignores a page's meta tags): this gives us the ability to perform updates, etc. reliably without relying on the document from which the page was installed. Yes. > Make only CORS-enabled fetches of the manifest the default, as per #353. This allows cross origin fetches, but provides content authors the ability to prevent others sites using their manifests without permission. I think you keep misunderstanding the problem people are talking about here. The problem is not other people using your manifest for their own content (what use would that be to them)? It's other people re-packaging your content as an app by creating their own manifest for your content and showing ads in splashscreens, changing the start_url for phishing purposes or selling it in an app store etc. This is why I think the solution needs to be on the app content end, not the manifest end, and is why I suggested the idea of using the CSP header to determine whether to render a page. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/272#issuecomment-97845875
Received on Thursday, 30 April 2015 15:47:50 UTC