- From: Marcos Caceres <notifications@github.com>
- Date: Thu, 30 Apr 2015 09:36:13 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Message-ID: <w3c/manifest/issues/272/97871841@github.com>
> The truth is that it mostly isn't a problem if you assume that web apps are only ever installed from a page of the app, which is the assumption the spec makes. Yes, which is exactly why I've never understood what the hell you people were talking about :) > A side effect of this is that the manifest is not a trustable resource in its own right, it can only be used in conjunction with a page of the app. This is why I'm pushing for an answer on whether installing from an app store is considered a valid use case of a web manifest. Not for this spec. No. > For example: > * An evil developer creates a manifest at http://evil.com/manifest.json which has a start_url of http://irccloud.com/index.html It can't do that. This is already banned. > * They submit the URL http://evil.com/manifest.json to the Firefox Marketplace or Windows Store to be featured as an app, costing $1. -10 points (you were warned! :)). > As I understand it this was basically the rationale for the same-origin restriction on Firefox Apps. Whether or not this is important for web manifest depends largely on whether installing web apps from an app store, It's not. The assumption is that you install at the application site, not from an app store. > or using the manifest as a useful resource independently of a web page it might be referenced from, are considered valid use cases. This one is, but only in relation to performing updates of icons, etc. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/272#issuecomment-97871841
Received on Thursday, 30 April 2015 16:36:46 UTC