Closed Bug 1095461 Opened 10 years ago Closed 9 years ago

Honour manifest-src CSP directive when obtaining a manifest

Tracking

(Not tracked)

Status:

RESOLVED DUPLICATE of bug 1089255

People

(Reporter: benfrancis, Unassigned)

References

Details

(Keywords: feature)

Ben Francis [:benfrancis]

Reporter

Description

•

10 years ago

The algorithm for obtaining a web manifest [1] requires that the user agent honour the manifest-src CSP directive. 1. https://w3c.github.io/manifest/#obtaining

Ben Francis [:benfrancis]

Reporter

Comment 1

•

10 years ago

As I understand it, by default the manifest spec allows for a manifest to be hosted on a different origin from the web page which links to it in a <link rel="manifest"> element, as long as the start_url is same-origin with the web page linking to the manifest. However, the spec also requires that the user agent honour a manifest-src CSP directive if the developer wishes to lock this down further.

Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]

Comment 2

•

10 years ago

duplicated with Bug 1089255?

Marcos Caceres [:marcosc]

Updated

•

9 years ago

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → DUPLICATE

BMO Automation

Updated

•

7 years ago

Product: Core → Core Graveyard

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Honour manifest-src CSP directive when obtaining a manifest

Categories

(Core Graveyard :: DOM: Apps, defect)

Tracking

(Not tracked)

People

(Reporter: benfrancis, Unassigned)

References

Details

(Keywords: feature)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Updated