Skip to content

Commit

Permalink
Move same-origin-as-document check to steps for obtaining.
Browse files Browse the repository at this point in the history
Now the steps for processing a manifest do not take a document URL. This
is necessary as manifests are often processed independent of a document,
and the interpretation of a manifest should not depend upon the document
it was included from.

Normative change: If the start_url is not same-origin as the document
URL, the entire manifest is rejected (as part of obtaining a manifest
from a document, rather than processing a manifest), rather than getting
a default start_url.

Closes w3c#668
  • Loading branch information
mgiuca committed Jun 15, 2018
1 parent 6a06f06 commit 4ce2a94
Showing 1 changed file with 23 additions and 37 deletions.
60 changes: 23 additions & 37 deletions index.html
Original file line number Diff line number Diff line change
Expand Up @@ -1301,13 +1301,26 @@ <h3>
"!FETCH#concept-request-body">body</a>.
</li>
<li>Let <var>manifest</var> be the result of running <a>processing a
manifest</a> given <var>text</var>, <var>manifest URL</var>, and the
URL that represents the address of the <a>top-level browsing
context</a>.
manifest</a> given <var>text</var> and <var>manifest URL</var>.
</li>
<li data-link-for="WebAppManifest">If
<var>manifest</var>["<a>start_url</a>"] is not <a>same origin</a> as
the URL that represents the address of the <a>top-level browsing
context</a>, issue a developer warning that the <a>start_url</a>
needs to be <a>same-origin</a> as <code>Document</code> of the
<a>top-level browsing context</a>, then abort these steps.
</li>
<li>Return <var>manifest</var> and <var>manifest URL</var>.
</li>
</ol>
<p class="issue">
There is currently no way to invoke this algorithm without a
<a>top-level browsing context</a>. However, several user agents do
just that (when they install a web application directly from a
manifest URL, without a document). This, and other algorithms, should
be written to not require a document. See <a href=
"https://github.com/w3c/manifest/issues/668">#668</a>.
</p>
<div class="note">
<p>
Authors are encouraged to use the HTTP cache directives to
Expand Down Expand Up @@ -1396,17 +1409,8 @@ <h3>
following algorithm. The algorithm takes a <a>string</a>
<var>text</var> as an argument, which represents a <a>manifest</a>,
and a <a>URL</a> <var>manifest URL</var>, which represents the
location of the manifest, and an optional <a>URL</a> <var>document
URL</var>. The output from inputting an JSON document into this
algorithm is a <dfn>processed manifest</dfn>.
</p>
<p class="issue">
There is currently no way to invoke this algorithm without a
<var>document URL</var>. However, several user agents do just that
(when they install a web application directly from a manifest URL,
without a document). The algorithms that invoke this one should
similarly be written to not require a <var>document URL</var>. See
<a href="https://github.com/w3c/manifest/issues/668">#668</a>.
location of the manifest. The output from inputting an JSON document
into this algorithm is a <dfn>processed manifest</dfn>.
</p>
<p class="issue">
We need to catch throws associated with enumerations in IDL
Expand Down Expand Up @@ -1448,8 +1452,7 @@ <h3>
</li>
<li>Set <var>manifest</var>["<a>start_url</a>"] to the result of
running <a>processing the <code>start_url</code> member</a> given
<var>manifest</var>["<a>start_url</a>"], <var>manifest URL</var>, and
<var>document URL</var>.
<var>manifest</var>["<a>start_url</a>"], and <var>manifest URL</var>.
</li>
<li>Set <var>manifest</var>["<a>lang</a>"] to the result of running
<a>processing the <code>lang</code> member</a> given
Expand Down Expand Up @@ -1953,17 +1956,12 @@ <h3>
<p>
The steps for <dfn>processing the <code>start_url</code> member</dfn>
are given by the following algorithm. The algorithm takes a
<a>USVString</a> <var>value</var>, a <a>URL</a> <var>manifest
URL</var>, and an optional <a>URL</a> <var>document URL</var>. This
algorithm returns a <a>URL</a>.
<a>USVString</a> <var>value</var>, and a <a>URL</a> <var>manifest
URL</var>. This algorithm returns a <a>URL</a>.
</p>
<ol>
<li>If <var>document URL</var> is given, and <var>manifest URL</var>
is not <a>same origin</a> as <var>document URL</var>, let
<var>default</var> be <var>document URL</var>.
</li>
<li>Otherwise, let <var>default</var> be the result of <a>parsing</a>
".", using <var>manifest URL</var> as the <var>base</var> URL.
<li>Let <var>default</var> be the result of <a>parsing</a> ".", using
<var>manifest URL</var> as the <var>base</var> URL.
</li>
<li>If <var>value</var> is the empty <a>string</a>, return
<var>default</var>.
Expand All @@ -1981,18 +1979,6 @@ <h3>
</li>
</ol>
</li>
<li>If <var>document URL</var> is given, and <var>start URL</var> is
not <a>same origin</a> as <var>document URL</var>:
<ol>
<li>
<a>Issue a developer warning</a> that the <a>start_url</a>
needs to be <a>same-origin</a> as <code>Document</code> of the
<a>top-level browsing context</a>.
</li>
<li>Return <var>default</var>.
</li>
</ol>
</li>
<li>Otherwise, return <var>start URL</var>.
</li>
</ol>
Expand Down

0 comments on commit 4ce2a94

Please sign in to comment.