- From: Daniel Murphy <notifications@github.com>
- Date: Thu, 23 Apr 2020 10:03:57 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/issues/821/618519995@github.com>
> > Is that realistic? > > Could be... we could maybe broaden the acceptable types for legacy reasons if it captures a large enough %? (though that's a little eek, as the "JSON MIME Type" is already fairly broad). > > It might also depend if those not serving with the correct mimetype are actual "web apps" worth installing. When I looked at this problem [back in 2014](https://github.com/w3c-webmob/installable-webapps/blob/gh-pages/ios_standalone/README.md#key-findings), it turned out that the apps claiming to be "installable" were, in large part, not usable at all. I definitely buy that. I'm also very skeptical of relying on sites updating their software in any way, especially for anything that isn't made by a large company. I would really hate to break a whole long tail of websites. I would guess that having `.webmanifest` not included in httpd and nginx now means that for the next decade at least a large amount of sites will not have `.webmanifest` included. Maybe you have different data on how often website have their server updated. In my experience 1% is often, 5% sometimes, and 94% never or almost never. Maybe the world has changed though 🤷 @mikewest I think I understand the security concern, and it might be orthogonal to this - I'm guessing we could try to parse this in the browser or utility process if we need to? Perhaps we create a crbug? Question for you: If we restrict on mime type, does this actually protect this from being parsed in the renderer? Is there some sort of network layer / browser layer validation? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/821#issuecomment-618519995
Received on Thursday, 23 April 2020 17:04:10 UTC