- From: Robert Linder <notifications@github.com>
- Date: Thu, 27 Jun 2019 15:48:24 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/issues/421/506538342@github.com>
@marcoscaceres
Seeing as all major browsers have implemented OpenSearch, and actively maintain them from what I can tell through bug reports, I'm curious if that still holds true.
Because most browser do have a "tab-to-search"-feature, they must think it's something useful, however undoubtedly the majority of websites do not implement their own search functionality and so inspired by [this article](https://aaronparecki.com/2011/07/11/3/how-to-let-google-power-opensearch-on-your-website), I have [proposed](https://github.com/dewitt/opensearch/issues/6) OpenSearch to allow for developers to utilize the users preferred search engine to perform searches instead of directly on-site. But I think this is a better place to raise my interest for the proposed feature.
<hr>
As an aside (and perhaps I'll need to take this up with implementors directly), as the proposed feature builds on the ability that websites can use cross-origin URL templates, I can on a personal blog for example, let Google handle searches like so: `<Url method="get" type="text/html" template="https://www.google.com/search?q=site:google.com+{searchTerms}"/>`
Is it reasonable to worry that an attacker might inject an OpenSearch Description to instead reference an end-point of malicious intent?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/421#issuecomment-506538342
Received on Thursday, 27 June 2019 22:48:46 UTC