Closed Bug 1095461 Opened 5 years ago Closed 4 years ago

Honour manifest-src CSP directive when obtaining a manifest

Categories

(Core Graveyard :: DOM: Apps, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1089255

People

(Reporter: benfrancis, Unassigned)

References

Details

(Keywords: feature)

The algorithm for obtaining a web manifest [1] requires that the user agent honour the manifest-src CSP directive.


1. https://w3c.github.io/manifest/#obtaining
As I understand it, by default the manifest spec allows for a manifest to be hosted on a different origin from the web page which links to it in a <link rel="manifest"> element, as long as the start_url is same-origin with the web page linking to the manifest. However, the spec also requires that the user agent honour a manifest-src CSP directive if the developer wishes to lock this down further.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1089255
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.