Re: [w3c/manifest] Allow manifest processing to be invoked without going through an HTML document (PR #1069) from Marcos Cáceres on 2023-04-27 (public-webapps-github@w3.org from April 2023)

From: Marcos Cáceres <notifications@github.com>
Date: Wed, 26 Apr 2023 17:17:30 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/pull/1069/review/1403006757@github.com>

@marcoscaceres commented on this pull request.



> +              on origin A and the manifest is on a different origin B, there is
+              a bidirectional relationship between the two origins.
+            </p>
+            <p>
+              The first check ensures that at least some page on origin A links
+              to the manifest on origin B (otherwise, it would be possible for
+              a manifest on origin B to control the metadata for an
+              unaffiliated app on origin A).
+            </p>
+            <p>
+              The second check ensures that origin B allows (via the [=CORS
+              protocol=]) its manifest to be applied by origin A, and also that
+              the manifest is fetched with or without credentials, as agreed by
+              both origins, as it would if going directly through the document.
+            </p>
+          </div>

```suggestion
          </aside>
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/1069#pullrequestreview-1403006757
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/manifest/pull/1069/review/1403006757@github.com>

Received on Thursday, 27 April 2023 00:17:36 UTC