- From: Daniel Murphy <notifications@github.com>
- Date: Wed, 01 Nov 2023 08:56:29 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 1 November 2023 15:56:34 UTC
The struggle here is spoofing - the source of trust / security guarantee is actually the html link attribute that says "yes, this manifest applies to me, it is trusted on my origin". Because people use CDNs to host their manifest (and thus it is cross-origin), it's not safe to just simply trust a manifest, as it can describe a cross-origin site. If you hosted a manifest for "turbotax" on your origin, we probably wouldn't want to be able to only look at that and say "yep, I trust this, this can install TurboTax and have the start_url be turbotax.com" etc. Even if the manifest is same-origin, often they are versioned and it also seems weird to allow any of those versions to be trusted... maybe not as bad though. We do have a unique identifier spec'd now, the manifest id. You can uniquely identify a manifest-backed entity now (e.g.usually an installed web app) now using this. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/1104#issuecomment-1789209913 You are receiving this because you are subscribed to this thread. Message ID: <w3c/manifest/issues/1104/1789209913@github.com>
Received on Wednesday, 1 November 2023 15:56:34 UTC