Open dmurph opened 3 years ago
1) Should we go with start_url
then? You know this part much better than I do.
2) A big +1 for same-origin. It makes sense to me to draw the security boundary around the origin.
3) > I will also note that these approaches will make the start_url pages are actually installable in their own right
I think this is fine, and perhaps even good; devs can test sub-parts of their big app on their own, and it's not really an issue if users can poke around.
I also favor the start_url
approach with the requirement that start_url
has to be same-origin with the page calling the API.
It might be better to model the 'manifest_url' approach as a 'reference', and then go into some options:
reference =
manifest_url
manifest_url
+id
, manifest resolvedid
must matchid
.start_url
The main 'identifier' for a webapp, in my opinion, is the manifest list (
<link rel="manifest" href="manifest.json">
). This, which is in the start_url html, basically confirms "yes, this is a web app, and the manifest is here, and we are connected".So the security issues I'm also seeing here (maybe I should make issues for these):
I will also note that these approaches will make the start_url pages are actually installable in their own right, where the user could just install those pages if they visit the url.. although they, I guess, would be nested in the parent app, so we wouldn't show the install icon.
Even if we did show the install icon & the user installed the sub-apps before the main app added them, we could still easily just update them to being a 'managed' app.