- From: Reilly Grant <notifications@github.com>
- Date: Tue, 23 Jul 2024 15:45:51 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/875/2246430591@github.com>
@martinthomson, I'm just a bystander on this proposal but reading through your comments it sounds like you are generally comfortable with the idea of an origin opting-in to a scope extension from a cross-origin app but are specifically concerned with the ability for a site (registrable domain) to do so on behalf of the origins under it. This makes sense to me. I am curious what you think of using a new pair of HTTP headers (e.g. `App-Id` and `Allow-App-Scope-Extension`) in a similar way to the `Origin` and `Allow-Cross-Origin-Access` we have for CORS. This would enable browsers to "trust but verify" on a site-level scope extension by checking that the server for the particular origin being navigated to agrees it wants a resource to be considered part of the app. This has the advantage over requiring each origin to host a copy of the `.well-known/web-app-origin-association ` file that it provides the information in-line with the request that is already happening and is thus easier for browsers to implement and doesn't introduce additional navigation latency. There are some details to work out but I think this would maintain the ability for the browser to do the necessary install-time setup for scope extensions while keeping ultimate control over how their resources are presented in the hands of the origin. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/875#issuecomment-2246430591 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/875/2246430591@github.com>
Received on Tuesday, 23 July 2024 22:45:55 UTC