Enforce https manifest URL

[joycetoh8]

For ChromeOS, https should be enforced for the manifest URL as PWAs are not allowed to use http. If a http manifest URL is used to create a TWA via Bubblewrap, ChromeOS will install the PWA with http causing a weird launch behavior from Play.

[andreban]

Adding some more details:

• on Android, it's OK for a developer to bootstrap a TWA with an http URL, because the URL launched by application is a concatenation of "https://" + hostname + path.
• ChromeOS uses the webManifestURL, which is a passthrough of the Manifest URL used to bootstrap the TWA, and using HTTP for this URL should be an error. This field is unused on Android.

• 401 is a feature-request to be able to bootstrap an application from a local.

To allow both things, It seems that separating the URL used to bootstrap the app from the webManifestURL would be the best way to go.

My proposed solution would be to ask the developer for the Manifest URL when creating the application, using the one provided to bootstrap it as default, and validate if it is HTTPS when doing that.