Re: [w3c/manifest] Add a unique identifier for a PWA (#586)

@dmurph wrote: 
> I do think that there is one big downside for using manifest_url as the ID - this means that a manifest wouldn't be inherently 'packaged' by itself. Like - you couldn't install an app just from a manifest without that manifest url (or the id being specified).

I personally think that's a good thing because trust in the origin a manifest was retrieved from is surely an important factor in the implict permissions a user grants by installing a web application? It also what makes the app more [linkable and discoverable](https://infrequently.org/2015/06/progressive-apps-escaping-tabs-without-losing-our-soul/) if the ID actually dereferences to something.

> it is difficult to fake for the 'webapp'ing that current browsers do. Right now, you can create a fake manifest for a site and just set the start_url to the url that is being shown, and bam, webapp. But if manifest_url becomes the unique ID, and systems are designed around that, then that becomes more complicated.

For a hack like a fake manifest, which won't be following the specification anyway, could browsers generate a special cased local URL like chrome://apps/myfakeapp.webmanifest ?

> they [two manifests providing the same ID] would be the same webapp

That would presumably make https://foo.github.io/repo1/app1.webmanifest and https://foo.github.io/repo2/app2.webmanifest or https://google.com/calendar/app.webmanifest and https://google.com/mail/app.webmanifest the same app, if they provided the same ID.

That arguably isn't a huge issue as the origin is ultimately the trust boundary, but it could be a bit of a footgun.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/586#issuecomment-669842405