scope="../" should be invalid #551
Comments
|
That on the other hand kind of requires having the manifest file live in the root. I guess that might be OK, but I have seem multiple examples where that was not the case (To be honest, most of these were for sites using favicon generators). We haven't told people to keep the manifest in the app root (not necessarily domain root!) so would be nice to get the input from @PaulKinlan . Or does it makes more sense to make scope relative to start_url instead of manifest location? @marcoscaceres |
|
There are a number of cases where an app may want to support multiple scopes (see #449.) To address @pkotwicz's concern, what about: |
|
I think it is nice to be a bit flexible and not having to have the manifest file in the root. I talked to @PaulKinlan and as far as I understood, he agrees with me. For solving the case where you are not the owner of the domain, I think we could allow the domain some power to restrict what others can use as scope, something like the robots.txt to ignore seach engines, we might be able to have a |
|
E.g. for https://github.com: https://github.com/.well-known/manifest-policy.json contains Similarly for https://inventeddomain.com:
For |
|
What @pkotwicz describes is the exact challenges that Service Worker also had for their scope. I know the two are different, but given that the scope affects the navigational context, the app gets special privileges not normally afforded to web apps (URL interception in particular). It gets a little harder because the location of the manifest could reasonably be on a CDN and the manifest scope processing doesn't include the document URL other than for checking the scope is on the same origin as the document. Step 4 and 6 are at conflict in this process. I'm not clear on the interplay between the scope and the start_url, I've (maybe mistakenly) been thinking that the base url gets affected based on the scope whichs means the start_url is relative to that to the scope and the scope can be either defined or inferred by the location of the manifest. I think there needs to be some clarity about what defines a web app. There is a note that implies this, but I don't read it that clearly in the spec
I've tried to document combinations of start url and manifest url and the base to make it clearer in my head about what is desirable, note: I am assuming that the start url is calculated from the manifest_url which means that I am assuming that the manifest url is the base and the thing that drives everything that makes an app an app.
Note 2: I am not including additional scopes in this thread at the moment. |
|
|
So the way it works today (as specced): Every single URL within the manifest file is relative to the location of that file (like it would be in a JS, HTML or CSS file). If that is cumbersome in some situations, we could consider added a | manifest url | start_url | scope attr | calculated scope | calculated start_url | valid | |
kenchris@ is right that if we made scope="../" illegal we would break some sites. A coworker ran a script on all of the Web Manifests on the web. There are 26 Web Manifests on the Web whose scope is wider than the directory containing the manifest. There's ~ 35,000 Web Manifests total. Unfortunately, one of those 26 is https://www.nfl.com/manifest/super-bowl.json I have no idea whether it is possible to convince all of the website owners to move the manifest.json file on their site |
|
Yes, the additional scopes somehow would need to whitelist the manifest who is referring to them. One way could be In https://mysite.com/manifest.json, have: Then in https://otherofmysites.com/manifest.json, have: Adding "owner" to a manifest means that it will refer to another manifest file as the data source for adding to homescreen, and only a few of the properties will be used (ie |
|
So any update on what you changed in Chrome? Like would it be possible for you to submit a PR if you made any changes so that we can review it and move this forward? |
|
We ended up not making any changes in Chrome. It is safe to assume that we will likely not make any changes in the foreseeable future. I don't think anyone on the Chrome team has given this topic much thought in the previous month. |
|
Ok, we need to probably good to check and confirm with a test of some sort... adding to CR list for scope. |
|
It sounds like from the original report that the reason to prevent this would be to prevent escaping out of a subdirectory (e.g., if you were given ownership over a subdirectory on a shared origin with other untrusted parties). On the web, paths are not a security boundary. That battle is far too lost; there are heaps of things that let you do anything you want at the origin scope -- even in the manifest you could set a scope of Therefore, closing as WAI. |
From https://crbug.com/688889
When a user adds a page which contains a Web Manifest to the homescreen in Chrome all of the pages within the Web Manifests' scope get special treatment.
It is currently valid for a web manifest in http://rootsweb.ancestry.com/~peter/manifest.json to have scope="../"
In my opinion this is suboptimal because this would apply the special treatment specified by http://rootsweb.ancestry.com/~peter/manifest.json to all of http://rootsweb.ancestry.com/
http://rootsweb.ancestry.com/ is a web hosting service which grants each user hosting within a different subdirectory within http://rootsweb.ancestry.com/
There does not seem to be many web hosting services which grant users a sub directory but they seem to still exist http://www.free-webhosts.com/free-web-hosts.php
I suggest requiring a Web Manifest scope to be within the directory which contains the Web Manifest
Examples:
Manifest URL https://www.example.com/subdir/manifest.json
Scope '.' Valid
Scope 'deeper_subdir' Valid
Scope '../' Invalid
Scope '../other_subdir' Invalid
Scope 'deeper_subdir/../../other_subdir' Invalid
The text was updated successfully, but these errors were encountered: