- From: Daniel Murphy <notifications@github.com>
- Date: Mon, 29 Dec 2025 11:40:27 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/pull/1199/review/3616553159@github.com>
@dmurph requested changes on this pull request.
> + All other members of the manifest are considered as a
+ <dfn>non security-sensitive member</dfn>.
```suggestion
All other members of the manifest are considered
<dfn data-lt="non-security-sensitive member" data-lt-noDefault>non security-sensitive members</dfn>
```
This should make the definition keyed on "non-security-sensitive member", display the pluralized version, and not have the pluralized version be the default dfn name.
(there is a chance this breaks pluralization, but I think it'll work ok)
> + When considering a [=security-sensitive update=] for a [=manifest image resource=],
+ the user agent SHOULD consider a [=manifest image resource=] updated
+ if the {{ImageResource/src}} member has changed. If the
+ {{ImageResource/src}} has not changed, the user agent MAY download the
+ image and check for visual differences in some cases. Finally, the user agent
+ MAY change a [=security-sensitive update=] in a [=manifest image resource=] to a
+ [=non security-sensitive update=] if the images are not significantly
+ visually different.
So - I think we should generally address how manifest images should be considered as updated, and separately talk about how it impacts a security sensitive update stuff. In my head the ordering is a bit better this way, as we define things in an order where we build on previous concepts.
(I can't get the suggestion tool to include the above stuff too, but assume I'm replaceing that / moving that s well)
I apologize if this is closer to where you started - what do you think of this?
```suggestion
The user agent SHOULD consider a [=manifest image resource=] updated
if the {{ImageResource/src}} member has changed. If the
{{ImageResource/src}} has not changed, the user agent MAY download the
image and check for visual differences in some cases.
</p>
<p>
A <dfn>security-sensitive update</dfn> is a update to a [=security-sensitive
member=]. Respectively, a <dfn>non-security-sensitive update</dfn> is a
update to a [=non-security-sensitive member=] member. When considering an
updated [=security-sensitive member=] of type [=manifest image resource=]
(e.g. [=icons=]), the user agent MAY consider it a [=non-security-sensitive
update=] if the user agents finds the image not significantly visually
different.
```
> + <p data-cite="permissions">
+ The user agent SHOULD present all [=security-sensitive updates=]
+ to the user and require [=express permission=] before applying the
+ changes. The user should be given the option to either:
<ol>
<li>Accept the update
</li>
<li>Uninstall the web app
</li>
+ <li>Ignore the update
+ </li>
I don't know if we should be super prescriptive about user options here... and we also might struggle to define stuff. I suggest making the SHOULD here normative, and then having an asside for options/example:
```suggestion
<p data-cite="permissions">
The user agent SHOULD present all [=security-sensitive updates=]
to the user and require [=express permission=] before applying the
changes.
</p>
<aside class="note" title="Example user options displayed when presented with the update">
<p>The user may be presented with the following options when shown
[=security-sensitive updates=]:
</p>
<ol>
<li>Accept the update
</li>
<li>Uninstall the web app
</li>
<li>Ignore the update
</li>
</ol>
</aside>
```
--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/1199#pullrequestreview-3616553159
You are receiving this because you are subscribed to this thread.
Message ID: <w3c/manifest/pull/1199/review/3616553159@github.com>
Received on Monday, 29 December 2025 19:40:31 UTC