- From: Dominick Ng <notifications@github.com>
- Date: Sun, 31 May 2020 19:23:54 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 1 June 2020 02:24:07 UTC
I don't see a compelling security-related reason to restrict fetching a manifest and using the metadata in it to HTTPS - any more so than any other piece of declarative content served over HTTP. It feels like an arbitrary restriction ("because we can") rather than a meaningful one. For instance, a browser might wish to fetch the web app manifest to display higher quality icon tiles on its New Tab Page.
As Matt said, installation itself has non-normative requirements of HTTPS, and that feels sufficient to me (it would be nice to have not deleted all the installation bits in the spec; that would have been the perfect place to put the HTTPS requirement).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/887#issuecomment-636578761
Received on Monday, 1 June 2020 02:24:07 UTC