- From: Ben Francis <notifications@github.com>
- Date: Thu, 18 Feb 2021 12:55:56 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/issues/586/781628904@github.com>
@dmurph wrote: > This would let malware 'take over' an app, as they would just set their id field to the manifest url. Ah yes I see that's what I was missing, so an absolute URL wouldn't work as a default. @philloooo wrote: > That's the reason we force the id to prefix with the start_url's origin. So if within the same origin, they serve multiple manifests with the same id , yeah they will be recognized as the same app. But I think that should be expected by the app developers for that site as this is spelled out in the spec. Yes I agree that at least contains the problem to a single origin. > The code for web app id is deeply embedded in Chromium in various places. Which I imagine also makes changing the current behaviour to a different solution quite tricky. > I updated the explainer with Firefox Android behavior Thank you! Don't forget KaiOS browser. --- OK, well I came here to offer my feedback, based on experience of implementing the specification a few times, that there's no need to add an `id` member to the manifest because manifests already have a natural universal identifier on the web which makes them directly linkable and discoverable and which de-references to a useful resource. It's unfortunate that we've gone so many years with no identifier being defined in the specification that it appears the obvious solution is no longer practical. If there's now no option but to define an `id` member inside the manifest, then my recommendation is that if manifest URL can not be a default then scope is the next least worst option in the long term. If that makes manifest consistent with service workers then that's even better. I wouldn't expect using scope as a default identifier to cause much breakage for existing applications because it is probably the most stable of all the available options inside the manifest, but I don't have any data available to me to validate that hypothesis. Start URL has always been a dubious choice as an identifier for a web application as it's the most likely to change, so it's unfortunate in my opinion that the Chrome team chose that option in the absence of a recommendation in the specification. I also wouldn't expect breaking "implicit expectations" of developers to be a big problem because in practice developers don't just target a single browser, they are already targeting a range of desktop and mobile browsers which behave inconsistently. It may even fix problems they were previously having with changing start URL or manifest URL, without any action on their part. As an independent Invited Expert I can only offer my feedback, I don't have a large user base behind me to give that feedback much leverage. So as long as Mozilla, Apple and KaiOS Technologies are not participating in the discussion, I expect the Chrome team will do what they believe is best for their users, and developers. Thank you @philloooo and @dmurph for taking the time to explain your rationale. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/586#issuecomment-781628904
Received on Thursday, 18 February 2021 20:56:09 UTC