On 5/13/12 2:17 PM, SULLIVAN, BRYAN L wrote:
For (1) we can expect a text change, right?
Yes, I will make them as soon as I able to.
For (2), If the app manifest if obtained over non-secure HTTP, it is subject to modification. If the app is delivered over non-secure HTTP, even more can be modified. So is the plan to provide some kind of user warning when the manifest and/or app (including assets from the same origin) are delivered via non-secure HTTP (in the absence of a manifest signature)? And even if a manifest signature is provided how does it ensure protection of the assets (e.g. JS, CSS, and HTML) if they are delivered over non-secure HTTP? Does HTTPS need to be enforced, and cert domain validation as well?
We've previously discussed enforcing serving manifests over HTTPS, but it may not be appropriate to put this into the spec itself. Different user agents may choose to do different things, ranging from disallowing installs over HTTP or warning the user before proceeding.
Regards, -Anant
