W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: [manifest] Fetching restriction, Re: [manifest] Update and call for review

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 27 May 2014 18:25:26 +0200
Message-ID: <CADnb78jxTrsArCGxr25JQe5nK=M6Myy_BPwHa8j4C3wfbCn7BQ@mail.gmail.com>
To: Marcos Caceres <w3c@marcosc.com>
Cc: Ben Francis <bfrancis@mozilla.com>, public-webapps <public-webapps@w3.org>
On Tue, May 27, 2014 at 6:11 PM, Marcos Caceres <w3c@marcosc.com> wrote:
> Where this could become a problem in the future is if manifests start granting elevated privileges (e.g., access to specific APIs or unlimited storage). However, the security model could then be refined so that, for instance, only same origin manifests that are served over HTTPS get special powers. In such a case, non-same-origin manifests could be "tainted" and only the basic metadata from the manifest would be used by the user agent.

So long term are we expecting deployment on CDNs on sites that do not
want these features too? Sticking to same-origin seems simpler.

Received on Tuesday, 27 May 2014 16:25:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC