- From: Matt Giuca <notifications@github.com>
- Date: Wed, 01 Jul 2020 22:03:02 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/pull/834/review/441351878@github.com>
@mgiuca commented on this pull request.
> @@ -304,6 +304,10 @@ <h2>
</li>
</ul>
</li>
+ <li>Otherwise, if |manifest|["{{WebAppManifest/start_url}}"] is not
+ present, or not <a>same origin</a> as the {{Document}}'s
+ {{Document/URL}}, consider the document not <a>installable</a>.
Right, so that _does_ unfortunately mean that processing the manifest is still a function of the document URL (if we say "discard `start_url` and `scope` if they are not same-origin as document URL and replace them with document URL and the dir of the document URL, respectively"). That's explicitly what I was trying to avoid here.
I think I can live with it if we do that as a separate step outside the "processing the manifest".
That basically means we do "processing the manifest" which is NOT a function of the document URL, and then in a step outside of that, we do the above check if you're trying to install a document.
Marcos, I think you're right, having "installability of a document" doesn't make a lot of sense since user agents can always choose to install any document, and in any case, our current steps to determine installability are MAY MAY MAY. So we can scrap that. But I think we do need to replace this with some other steps for essentially "sanitizing a manifest for installation from a document".
What I want to allow is basically two separate high-level operations:
1. Installing a manifest. (Not associated with a document at all.) That's essentially what's enabled by this PR, by allowing the user agent to process a manifest without a document URL, then install it.
2. Installing a document. Get the associated manifest, if there is one. If there isn't, you can make one up. But this step should ensure that the manifest is same-origin as the document, to prevent sites from being able to install PWAs on another origin.
I propose that 1 is taken care of by just the definition "[install](https://www.w3.org/TR/appmanifest/#dfn-installed)" (what that means is UA-specific). And for 2, we should replace "steps to determine the installability of the document" with the following:
**Steps to install a document**, given a processed manifest _manifest_:
1. Let _manifest_ and _manifest URL_ be the result of [obtaining the manifest](https://www.w3.org/TR/appmanifest/#dfn-obtaining-the-manifest).
2. If obtaining the manifest results in an error, set _manifest_ to a processed manifest, populated from the top-level browsing context Document's metadata in a user-agent-specific way (e.g., setting `manifest["name"]` to the document title).
3. If `manifest["start_url"]` is not present, or not same origin as the Document URL, set `manifest["start_url"]` to the Document URL, and set `manifest["scope"]` to the result of parsing "." using the Document URL as the base URL.
4. [Install](https://www.w3.org/TR/appmanifest/#dfn-installed) the manifest.
This is too much work to do in this PR, so I think I'll just continue propping up the "installability of the document" concept right now, and do the above later after some more discussion.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/834#discussion_r448750296
Received on Thursday, 2 July 2020 05:03:16 UTC