- From: Ben Francis <notifications@github.com>
- Date: Tue, 02 Feb 2021 11:27:57 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 2 February 2021 19:28:10 UTC
@dmurph wrote:
> So far manifest_url seems like it might be a security issue
...
> ```
> {
> ...
> id: "https://music.bing.com/manifest.json",
> name: "Bing Music!",
> start_url: "https://music.bing.malware.com",
> ...
> }
> ```
To be clear, this is not what I mean when I say use the manifest URL as the identifier for the app.
Don't parse the manifest URL from an `id` member inside the manifest, use the URL from which you fetched the manifest as its identifier. That way only music.bing.com can host a manifest with the identifier of https://music.bing.com/manifest.json
Also, IIRC `start_url` currently has to be same-origin as document URL, so if this manifest was linked from a document hosted at malware.com then this `start_url` would not be allowed and would fall back to the document URL the app was installed from.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/586#issuecomment-771914033
Received on Tuesday, 2 February 2021 19:28:10 UTC