Dear Web App Security WG members,
I'm writing on behalf of a number of W3C members working on the W3C Web App Manifest spec. (http://www.w3.org/TR/appmanifest/)
We have two use cases where web app developers want to indicate a web app includes multiple domains.
* In one case, a web app (scope:Example.com) might have a CDN (scope:ExampleCDN.com), personal data (scope:MyExample.com), etc. that is served from a second domain.
* In another case, a web app (scope:Chat.Example.com) might have peer subdomains that are in-scope (scope:Music.Example.com and scope:Video.Example.com) but might also have peer domains that are out-of-scope (scope:Events..Example.com)
We are considering a proposal (#449<https://github.com/w3c/manifest/issues/449>) where the W3C Web App Manifest file (a JSON file residing on the primary domain) be able to indicate other (HTTPS-only) domains that could be rendered within the context of the web app rather than being rendered in the context of web browser chrome.
We would appreciate any questions or suggestions you have as we consider this proposal.
Thanks very much--
--Rob