- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Wed, 6 Nov 2019 15:20:10 -0800
- To: uri@w3.org
- Message-ID: <CANh-dX=g-8pwb5nPqtu55b4fsvVQioAdhn4GOqQoQKYAsqG+Bw@mail.gmail.com>
Hi URI experts,
As you may have seen, we're working on a way to package web resources at
https://github.com/WICG/webpackage. One of the use cases is to let users
save a web page, site, or collection of sites to a single local file and
share it to their peers without an internet connection. If those sites use
the browser's local storage systems, I think each site should get its own
partition. Since the user generated the package, the sites within it aren't
signed, so that partition can't be the same one used by the online version
of the site. So, what origin does an unsigned resource within a package get?
https://docs.google.com/document/d/1BYQEi8xkXDAg9lxm3PaoMzEutuQAZi1r8Y0pLaFJQoo/edit
discusses
the problem in some detail, and suggests that the origin should include
both the full absolute URI of the package itself and the claimed origin of
the subresource. ("Claimed" because it's not signed.) To get that to happen
within browsers, I think that means we need to define a new scheme for URLs
that address a subresource within a package. The document suggests a couple
ways to define that scheme.
I'd appreciate if the experts on this list would think about the problem a
bit and suggest how best to solve it.
I've been iterating within the linked Google Doc, but if anyone would be
more comfortable iterating on GitHub, I can translate it to markdown and
check it in.
Thanks a bunch,
Jeffrey
Received on Wednesday, 6 November 2019 23:20:25 UTC