Re: [w3c/manifest] Adding file_handlers and launch consumer (#1005) from Evan Stade on 2022-03-30 (public-webapps-github@w3.org from March 2022)

From: Evan Stade <notifications@github.com>
Date: Wed, 30 Mar 2022 11:06:00 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/pull/1005/review/926523784@github.com>

@evanstade commented on this pull request.



> +          The [=file handler=]'s <code><dfn data-dfn-for=
+          "file handler">action</dfn></code> member is a <a>string</a> that
+          represents a relative URL of the [=manifest/start_url=] origin that
+          is [=manifest/within scope=] of a [=Document/processed manifest=].
+          This URL will be navigated to in the steps to [=execute a file
+          handler launch=].
+        </p>
+      </section>
+      <section>
+        <h3>
+          `name` member
+        </h3>
+        <p>
+          The [=file handler=]'s <code><dfn data-dfn-for=
+          "file handler">name</dfn></code> member is a <a>string</a> that
+          describes the file type. User agents MAY pass this information to the

> Something doesn't seem right here (might just be the wording)... it's a "name" that "describes".

Being descriptive is a property of a good name, I think :) But I shall change this to "identifies".

> Also, I'm a bit unsure where this gets shown to a user?

The non-normative note right below describes where it's shown to the user. Do you have suggestions on how to make that text more clear?

> Is there potential abuse here? Like "name": "Pictures" and "type": "application/whatever"

I can't see a security threat here, but then it's not my specialty. We have, however, subjected this API to several rounds of internal security review and while spoofing in general is a keen concern, the name is not as much of a focus as the icon. I left the wording here more relaxed ("MAY") to accommodate that, depending on the level of trust the user agent places in the app. For example, a user agent with a lot of ceremony around installation may trust installed apps enough to display the name and icon, whereas a user agent where installation is totally frictionless may not want to display name and icon at all.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/1005#discussion_r838826526
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/manifest/pull/1005/review/926523784@github.com>

Received on Wednesday, 30 March 2022 18:06:12 UTC