- From: Aaron Gustafson <notifications@github.com>
- Date: Mon, 30 Nov 2020 17:08:25 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 1 December 2020 01:08:37 UTC
I don’t think this was addressed above—forgive me if it was—but what is to stop a bad actor from spoofing the `id` of another app? Do you think there should be an additional check in place? Maybe something like _origin_ + `id`? It would complicate things like domain migrations, but I feel like we could probably come up with a best practice for that as well. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/586#issuecomment-736150537
Received on Tuesday, 1 December 2020 01:08:37 UTC