Re: [w3c/manifest] Is it possible to load the progressive web app manifest file from authenticated site? (#535) from Matt Giuca on 2018-11-05 (public-webapps-github@w3.org from November 2018)

From: Matt Giuca <notifications@github.com>
Date: Sun, 04 Nov 2018 18:45:26 -0800
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/535/435739223@github.com>

OK we had a closer look (with @dominickng). This _is_ a spec issue, because the Manifest spec explicitly overrides HTML's "Obtaining a resource from a link element" algorithm.

https://www.w3.org/TR/appmanifest/#obtaining

So while normal `<link>` elements send credentials by default, `<link rel="manifest">` explicitly does not. This appears to be intentional because it's secure by default, whereas retrofitting it for other link types like icons and style sheets was not possible.

For historical discussions, see:

- https://bugs.chromium.org/p/chromium/issues/detail?id=863218#c14
- https://github.com/w3c/manifest/issues/186#issuecomment-43798231
- https://github.com/w3c/manifest/issues/17#issuecomment-43808117

Looks like this has all been litigated in 2014 and a conclusion was made to override the default behaviour of HTML. Keeping this closed as I don't think it's worth going over this again.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/535#issuecomment-435739223

Received on Monday, 5 November 2018 02:45:47 UTC