Re: [w3c/manifest] Allow manifest processing to be invoked without going through an HTML document (PR #1069) from Matt Giuca on 2023-04-21 (public-webapps-github@w3.org from April 2023)

From: Matt Giuca <notifications@github.com>
Date: Fri, 21 Apr 2023 00:53:21 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/pull/1069/c1517422565@github.com>

Hi folks,

Sorry for taking awhile to circle back on this. I wanted to take time to self-review since it was a long time since I uploaded the PRs, and that meant pushing it back until I found some free time.

So now that I've paged it back in, the security concern Marcos had is basically that the HTML applies lots of CORS checks before downloading the manifest. This change (particularly, what's implied by the non-normative note) allows user agents to magically supply a manifest from anywhere, not follow the HTML download steps. In some sense, that's the whole point (e.g., we are trying to use this to create a service that installs apps from pre-cached manifests, we explicitly _do not want_ to have to follow the HTML download steps to fetch it from its actual URL). But in another sense, that opens up the possibility of a UA not following CORS.

It's possible we want stronger language, like "the user agent MUST use a manifest that it previously downloaded using the CORS stuff from HTML" but I don't really know how to phrase that or what the implications are. For now, I think (if you all agree) it's OK to leave that up to user agents to work out, and trust that they will avoid spoofs. Maybe this can just be a security consideration (in a follow-up? Or should I add it in this PR?).

Since several of you have pinged me to say "please merge this so we can get on with our lives", I'm thinking we just merge it for now and add security considerations as a followup. Unless someone objects, I'll do that as soon as I get an approval on whatwg/html#8754. I have rebased.

****

I haven't used "merge queue" before. I don't see a way that I can enter a commit message -- how do you do that now? (Is it going to use the original post text? That contains stuff I don't want including the preview and draft links.)

--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/1069#issuecomment-1517422565
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/manifest/pull/1069/c1517422565@github.com>

Received on Friday, 21 April 2023 07:53:27 UTC