[w3c/manifest] Clarify behaviour of a page linking to a manifest that is not within scope of that manifest (#784) from Matt Giuca on 2019-09-09 (public-webapps-github@w3.org from September 2019)

From: Matt Giuca <notifications@github.com>
Date: Sun, 08 Sep 2019 20:06:40 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/784@github.com>

Coming across from [Chrome issue 961525](https://crbug.com/961525).

Consider the case where a page (e.g., https://stormy-pincushion.glitch.me) links to a manifest whose scope does not enclose the page that originally linked the manifest (e.g., "scope": "/why"). Should this be considered a valid manifest for the page?

The spec doesn't really provide any guidance on this. Since the details in the spec around installation are pretty fuzzy, it's hard to see exactly how to fit this in, but I think we'd like to essentially _ignore_ the manifest entirely in this situation. The manifest does not apply to this page, therefore it shouldn't influence the display of the page (e.g., the theme colour, etc), nor should we consider this page to be able to trigger installation.

Currently, Chrome [does allow installation](https://crbug.com/961525) for this page, resulting in a weird situation where as soon as you install the app, you are shown an out-of-scope address bar since the page you were on is not part of the app scope.

I would like to add to the [installation process](https://www.w3.org/TR/appmanifest/#installation-process) text along these lines:

"If obtaining the manifest succeeds, if the current document URL is not [within scope](https://www.w3.org/TR/appmanifest/#dfn-within-scope) of the manifest, fail."

Also the installation process could generally be cleaned up, since it suggests that the install takes place in parallel to obtaining the manifest, which doesn't make sense because you need to obtain the manifest first before you can even know whether it can be installed.

See https://crbug.com/961525 for some Chrome-team discussion about what should happen. Another possibility is that we explicitly allow this, basically saying that a page can offer a manifest on the same origin but in a different scope for installation. My feeling is that this almost certainly represents an accidentally-too-small-scope so we shouldn't allow it.

We should also change [authority of the manifest's metadata](https://www.w3.org/TR/appmanifest/#authority-of-the-manifest-s-metadata).

Note: Original test case was https://harmonious-cosmonaut.glitch.me which has no "scope" (using the implicit scope of the manifest directory); I forked it to https://stormy-pincushion.glitch.me which has an explicit scope to more directly demonstrate the issue.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/784

Received on Monday, 9 September 2019 03:07:02 UTC