Open timcappalli opened 10 months ago
I'll add my 2-cents that redirects that follow pattern 2 will most likely not be followed by 1Password for security reasons.
The Apple requirements for this are:
You must host the file using https:// with a valid certificate and with no redirects.
And Android has the following requirements:
- The assetlinks.json file is served with content-type application/json.
- The assetlinks.json file must be accessible over an HTTPS connection, regardless of whether your app's intent filters declare HTTPS as the data scheme.
- The assetlinks.json file must be accessible without any redirects (no 301 or 302 redirects).
- If your app links support multiple host domains, then you must publish the assetlinks.json file on each domain. See Supporting app linking for multiple hosts.
If RPs are going to support mobile apps, perhaps it makes sense to have the same requirements in order to prep them for that? Or do we expect RPs that don't support mobile apps to require more freedom to host this in the way they want/need?
We've heard from RPs that supporting redirects for passkey assetlinks.json fetches was important to them. In GMS Core beta you'll find that redirects are followed as long as they are all HTTPS URLs.
I'd be curious to know the use cases of an App not giving the direct URL to the asset links
I'd be curious to know the use cases of an App not giving the direct URL to the asset links
The RP ID is usually the bare domain (example.com
) but the infrastructure of several RPs is such that they can only serve redirects from their bare domain and all content serving happens from a subdomain.
The RPID yes, but when checking assetlinks from an app we get it from its manifest, they should be able to provide a direct link from the manifest. As long as the rpId matches the TLD+x of that url it should be fine.
The current spec text explicitly forbids returning redirects (301/302). A few early adopters are using redirects.
I've noticed two distinct patterns:
https://myco.com/.well-known/...
>>>https://www.myco.com/.well-known/...
)https://myco.com/.well-known/...
>>>https://mycoobjects.com/.well-known/...
)I've also seen a combo of both (double redirect):
bare
>>www
>>>service
Pattern 1 is typically just due to the default configuration of the web server redirecting all requests to www. Exceptions can typically be added to these rewrite rules.