- From: Matt Giuca <notifications@github.com>
- Date: Mon, 06 Jul 2020 00:41:39 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 6 July 2020 07:41:51 UTC
It sounds like from the original report that the reason to prevent this would be to prevent escaping out of a subdirectory (e.g., if you were given ownership over a subdirectory on a shared origin with other untrusted parties). On the web, paths are not a security boundary. That battle is far too lost; there are heaps of things that let you do anything you want at the origin scope -- even in the manifest you could set a scope of `"/"`. The origin is the security boundary, and web hosts should give each person their own suborigin, not a sub-path. Therefore, closing as WAI. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/551#issuecomment-654070943
Received on Monday, 6 July 2020 07:41:51 UTC