Re: [w3c/manifest] Allow manifest processing to be invoked without going through an HTML document (PR #1069)

@marcoscaceres @dmurph adding both; let's take our time with this one.

I'm not sure if you want to just start with the interface change and add the text later, if the text is controversial. I wanted to capture that this is explicitly allowed now (invoking this from outside a document) but I also want to make sure user agents verify the bidirectional link. This is not just a security consideration, it is a requirement. (It could also be downgraded to a security consideration if you like.)

It was difficult to phrase the requirement. Note that I don't expect user agents to literally verify the document links to the manifest at install time (otherwise we effectively require that you load the whole document), just that it is known to have linked to the manifest in the past. This means, e.g. if you're doing sync, then you install through the normal HTML flow on device X, recording both the document URL and manifest URL in the sync state, then when you sync to device Y, the user agent on Y can invoke the processing steps with the stored document URL and manifest URL, knowing that they had been bidirectionally associated in the past. Do you think the text adequately captures this?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/1069#issuecomment-1397863545
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/manifest/pull/1069/c1397863545@github.com>

Received on Friday, 20 January 2023 02:54:00 UTC