Re: [w3c/manifest] Manifest processing should not be a function of document URL (#668) from Marcos Cáceres on 2021-03-10 (public-webapps-github@w3.org from March 2021)

From: Marcos Cáceres <notifications@github.com>
Date: Tue, 09 Mar 2021 20:55:56 -0800
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/668/794879650@github.com>

> While you can't register a service worker without loading a document, you can absolutely download icons, register an app with the OS, and prepare it for launching, without downloading any documents.

I don't know if that is entirely true, as it's the document's CSP that governs where icons can be acquired from. For example, this would prevent manifest icons being loaded from a remote origin:

```HTTP
Content-Security-Policy: img-src self
```

Or 

```HTML
<meta http-equiv="Content-Security-Policy" content="img-src self">
```

So, loading the icons without respecting the document's CSP wouldn't be amazing.... it could be done, but it violates the server's expectations and raises security concerns (or raises eyebrows, at least).  

> The purpose of this work is that therefore user agents shouldn't be required to modify their interpretation of the app based on the (possibly nonexistent) document URL.

Ok, but this then become a matter of scope (not manifest "scope"!) of this standardization effort. I.e., for the purpose of standardization of this specification, should the Working Group concern itself with anything but what web browsers do with the manifest? 

My opinion has always been no. I'm not discounting the "App Store" use case (which is why we split out [app-info](https://github.com/w3c/manifest-app-info/)), but we've been generally resistant to considering those requirements, as they can conflict with relationship between the Document and manifest as a sub-resource/link-relationship.

> Also, I don't want Document X and Document Y to link the same manifest, but result in a different app experience.
>The spec currently doesn't actually allow the second scenario at all, so it doesn't reflect reality. 

But isn't this an author decision? If the author chooses to omit `"scope"`, they are basically opting into that different experience (with the possible enhancement disambiguation via some identifier along the lines of #586). 


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/668#issuecomment-794879650

Received on Wednesday, 10 March 2021 04:56:09 UTC