- From: Daniel Murphy <notifications@github.com>
- Date: Tue, 02 Feb 2021 10:58:41 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 2 February 2021 18:58:54 UTC
@philloooo is doing an in-depth analysis here that we should be able to publish here by the end of the week.
So far manifest_url seems like it might be a security issue -
pretend Bing now has a music service, Bing Music, which is a PWA.
Along comes malware.com....
malware.com/manifest.json:
```
{
...
id: "https://music.bing.com/manifest.json",
name: "Bing Music!",
start_url: "https://music.bing.malware.com",
...
}
```
And now malware.com has taken over bing music!
Anyways, explainer coming soon, and we're excited for feedback!
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/586#issuecomment-771891970
Received on Tuesday, 2 February 2021 18:58:54 UTC