Re: [manifest] Fetching restriction, Re: [manifest] Update and call for review from Marcos Caceres on 2014-05-27 (public-webapps@w3.org from April to June 2014)

From: Marcos Caceres <w3c@marcosc.com>
Date: Tue, 27 May 2014 15:39:10 -0400
To: Jonas Sicking <jonas@sicking.cc>
Cc: public-webapps <public-webapps@w3.org>, Ben Francis <bfrancis@mozilla.com>
Message-ID: <etPan.5384e9de.2ae8944a.3434@Marcoss-MacBook-Pro.local>

On May 27, 2014 at 2:30:32 PM, Jonas Sicking (jonas@sicking.cc) wrote:
> On Tue, May 27, 2014 at 9:11 AM, Marcos Caceres wrote:
> > The only way that gmail would allow "my own app store" to use its manifest would be for  
> Google to include the HTTP header:
> >
> > Access-Control-Allow-Origin: "http://myownappstore.com"
>  
> This is a bit of an abuse of CORS.

hmmm... I thought this was *exactly* the point of having the "*-Allow-Origin" header (restrict sharing to the domains the server chooses in browsers). 

> Adding an
> "Access-Control-Allow-Origin: *" header currently has the semantic
> meaning of "any website can read the contents of this file". I.e. it
> only means that the bits in the file are accessible from other
> websites.

Yep. The point was that combined with the `start_url` member, you can make "install pages" away from the origin where the application resides.  

> That means that for a webserver on the public internet it is currently
> always safe to add the "Access-Control-Allow-Origin: *" header to any
> file since all files can be read anyway by simply using a different
> HTTP client than a browser, such as wget.

Sure. But that's not the point here. The use of CORS here is to control who can do what within the context of the browser (as the policy enforcement point). Of course, anyone can just go and download  anything with wget or whatever - but that's not going to give that person a web app with the manifest applied.   

> It does not currently mean, and I don't think it should mean, "I am ok
> with acting as a manifest for any website".

This is a different interpretation of the semantics of sharing a manifest - and certainly not the primary use case (though "http://generic-manifest.com/manifest.json" could be useful for testing and other interesting things). The idea was to say which stores can create a product page with the manifest.  

> I think restricting manifests to same-origin is the way to go. I would
> not be surprised if manifests will eventually end up with similar
> security properties as hosting HTML files currently does.

Given the current stuff the manifest defines, I don't have a strong opinion - but it certainly does seem like a few less potential headaches down the line. 

I'm happy to make this change and restrict to same origin.

Received on Tuesday, 27 May 2014 19:39:40 UTC