- From: Lu <notifications@github.com>
- Date: Wed, 03 Jul 2024 13:25:36 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/875/2207189231@github.com>
> Instead, the opt-in from the service provider would list the apps that are authorized for use, plus a scope. That is naturally origin-scoped anyway. {"web_apps": [{"web_app_identity": "https://example.com/", "scope": "/foo"}]}, coming from "https://app1.service.provider.example/" would have the desired effect. And then "app1.service.provider.example" can make its own choice about what to include (or not), which will be nothing by default.
I think we're in agreement. The `.well-known/web-app-origin-association` file hosted by the origin/site should look like:
```JSON
{"web_apps": [{"web_app_identity": "https://example.com/", "scope": "/foo"}]}
```
with `scope` being optional.
Above, I wrote:
> We still want to allow the developer to be able to provide a single origin association file at the manifest-provided site to validate the scope extension.
I was trying to point out that if the developer uses a single `web-app-origin-association` file for multiple origins that pass a same-site test means that if it also specifies `scope` then `scope` applies to all origins that pass the same-site test.
--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/875#issuecomment-2207189231
You are receiving this because you are subscribed to this thread.
Message ID: <w3ctag/design-reviews/issues/875/2207189231@github.com>
Received on Wednesday, 3 July 2024 20:25:40 UTC