Re: [manifest] Define identity of a web app. (#272)

> I don't understand how is that even possible with the current spec? Can you show how you would do that, concretely, with say IRC cloud?

The truth is that it mostly isn't a problem if you assume that web apps are only ever installed from a page of the app, which is the assumption the spec makes. A side effect of this is that the manifest is not a trustable resource in its own right, it can only be used in conjunction with a page of the app. This is why I'm pushing for an answer on whether installing from an app store is considered a valid use case of a web manifest. For example:

* An evil developer creates a manifest at http://evil.com/manifest.json which has a start_url of http://irccloud.com/index.html
* They submit the URL http://evil.com/manifest.json to the Firefox Marketplace or Windows Store to be featured as an app, costing $1.
* A user installs the app from the app store, without reference to any page of the app
* The evil developer changes the start_url of the manifest http://evil.com/login.html
* The user updates the app, launches it and logs into what they think is IRCCloud
* The evil developer puts an ad in the splash screen of the app suggesting the user try out the new and improved product at evil2.com
* The evil developer has $1, the user's username and password, and has them using their new evil2 product

As I understand it this was basically the rationale for the same-origin restriction on Firefox Apps. Whether or not this is important for web manifest depends largely on whether installing web apps from an app store, or using the manifest as a useful resource independently of a web page it might be referenced from, are considered valid use cases.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/272#issuecomment-97854220