- From: Matt Giuca <notifications@github.com>
- Date: Wed, 22 Apr 2020 00:16:45 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 22 April 2020 07:16:57 UTC
So is the concrete example here that a manifest that's served with `application/manifest+json` could not be fetched from an `<img>` element, for example, which means a site that allows users to create arbitrary `<img>` elements but not inject other HTML would be unable to trigger that manifest from being fetched cross-origin? But a manifest served with `image/png` could be fetched from an `<img>` element? Thus we want to make sure manifests served with `image/png` are not permitted to be used as manifests? If so, I guess that makes sense. We should do a survey of the manifest MIME types. I think @dmurph is the right person to prioritize this. My suspicion is that since this has never been enforced, close to 0% of manifests will be served with `application/manifest+json`. Since most manifests have a `.json` file extension, I assume a large percentage of web servers will automatically serve them with the `application/json` MIME type, so it might be acceptable if we require one of those two types. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/821#issuecomment-617597447
Received on Wednesday, 22 April 2020 07:16:57 UTC