Re: App Manifest & API Proposal from Anant Narayanan on 2012-05-13 (public-webapps@w3.org from April to June 2012)

From: Anant Narayanan <anant@mozilla.com>
Date: Sun, 13 May 2012 10:02:27 -0700
To: public-webapps <public-webapps@w3.org>
Message-ID: <4FAFE923.9040801@mozilla.com>

Hi Sullivan,

Thanks for your comments, some responses inline:

On 5/13/2012 1:11 AM, SULLIVAN, BRYAN L wrote:
> 1) Re "version: A string that represents the version of this manifest. The User-Agent does not interpret this value in any way and is opaque to everyone but the application itself.": it's also likely that the "privileged caller" may also need to interpret this, as one key use case for the a privileged caller is an appstore client.

Yes, absolutely.

> 2) How do you propose that the manifest information be trusted, through signature on the JSON file?

We haven't devised any signing scheme yet, we are only relying on 
manifests being served over SSL for establishing trust. I recall someone 
from Google saying something quote-worthy regarding this: "If it's good 
enough for your banking, it's good enough to install some apps" :)

That said, we are definitely open to adding signatures. This already 
seems required for packaged apps for highly sensitive apps like phone 
dialers, as we are discovering for B2G.

> 3) Re softening of the requirement "There must only be one application per origin.": you will likely need an App ID field (a URI), for which there should be only one installation at a time (otherwise per the manifest trust above, an untrusted app could pose as another app).

Correct, this is one of the reasons we enforce one app per origin 
(posing as another app becomes very hard). Relaxing that restriction 
won't be trivial as we have to consider this and many other repercussions.

> 4) For which of the attributes, instead of being in a manifest, could we achieve the same purpose with HEAD section elements in the start page of the app? I guess this question comes down to what is the inherent value of a manifest, and also how can we get similar value for these attributes on normal Web pages (with no manifest).

As I mentioned in another email, I'm not too worried about duplication 
in two places as the goals are different. The point of storing such 
information in the manifest is to enable various parties to make 
decisions about how they will handle an app before 
purchase/install/launch time.

As you noted in your previous email, the manifest is also an appropriate 
place to let the developer declare what APIs they intend to use, 
regardless of whether the UA asks for user permission up-front or at 
run-time.

Regards,
-Anant

Received on Sunday, 13 May 2012 17:02:58 UTC