Re: [w3ctag/design-reviews] Review origin policy. (#127)

So the TAG just had a bit more discussion about the interaction between origin-policy and [web app manifest](https://w3c.github.io/manifest/).  A number of ideas got thrown around (probably starting with the first and then moving to the second):
* the possibility of putting web app manifest stuff into the origin policy
* the possibility that a developer could, on their own, choose to use the same file as both the origin policy file and the web app manifest file (and even have the origin policy link to itself as the web app manifest by adding a site-wide Link: header).  This just requires that the two specs have lenient parsing (we think they do) and avoid conflicting keys.

We think there are two advantages to this:
* reduction in round trips to the server
* reduction in developer complexity for what we think will be common cases, where there's a 1:1 mapping between the origin and the webapp

@triblondon  also suggested the name "origin manifest" to replace "origin policy", which a bunch of us seem to like.

@triblondon also suggested more merging of the formats, where the manifest concept has two different levels of what can be set, app-wide, and origin-wide.  I'm a little concerned about the potential confusion that some manifests (those not in `.well-known`) wouldn't be able to set the origin-wide ones.

We had some discussion about HSTS and whether the ability to set HSTS from any page in the origin (without, e.g., the ability to control `/.well-known/`) is a mistake that this specification offers a path to fixing (i.e., that applying HSTS to the entire origin belongs in the origin policy instead).

We're curious what others think about these ideas.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/127#issuecomment-298142318