Ok thanks Kenneth. I assume that you refer to the Trust & Permissions Community 
Group, https://www.w3.org/community/trustperms/?


Claes Nilsson
Master Engineer - Web Research
Advanced Application Lab, Technology

Sony Mobile Communications
Tel: +46 70 55 66 878



From: Kenneth Rohde Christiansen [mailto:kenneth.christian...@gmail.com]
Sent: den 6 mars 2015 10:09
To: Nilsson, Claes1; Arthur Barstow; public-webapps
Subject: Re: [manifest] RE: Manifest for web application; review deadline March 

Hi Claes,

The web app manifest spec allows extensions (it has extension points), so we 
would expect the Permissions WG/CG to come up with a proper way to deal with 
permissions. If they come to the conclusion that we need some permission field 
in the manifest, their spec can add that. It is not yet clear at this point 
that that is the solution that they are aiming at.


On Thu, Mar 5, 2015 at 4:50 PM Nilsson, Claes1 
<claes1.nils...@sonymobile.com<mailto:claes1.nils...@sonymobile.com>> wrote:

We support that this version of the specification is moved to Candidate status 
but we have a few comments/questions:

In this version 1 we miss:

* A "permissions" field
* A "content security policy field". This is only included as a way to state 
allowed origins from which the manifest file itself could be loaded. However, 
there is, in this first version, no CSP-field defined for the manifest 
document, allowing restriction of origins the web app could download scripts 
and other content types from. There is also a draft companion document, 
http://w3c.github.io/manifest-csp/, defining this CSP-member of the manifest.

We consider the above features important for allowing server hosted web apps 
access to more sensitive APIs and have been experimenting with this for FFOS:
 Accordingly we want to discuss these features for the further work on the 
manifest specification.

We also would like to ask the WG if it has been discussed if https: transport 
should be required for downloading the manifest? Other specifications are 
moving towards requirement for https:. See for example the discussion 
https://lists.w3.org/Archives/Public/public-device-apis/2015Feb/0045.html. For 
the manifest version 1 this may not be critical but if above features are added 
the transport probably have to be protected.

However, once again note that these comments do not prevent that we support 
that the current version of the manifest is moved to candidate status, I am 
just taking the opportunity state our views on the further work on the manifest 

Best regards

Claes Nilsson
Master Engineer - Web Research
Advanced Application Lab, Technology

Sony Mobile Communications
Tel: +46 70 55 66 878


> -----Original Message-----
> From: Arthur Barstow 
> [mailto:art.bars...@gmail.com<mailto:art.bars...@gmail.com>]
> Sent: den 13 februari 2015 01:31
> To: public-webapps
> Subject: RfC: Manifest for web application; review deadline March 5
> [ Bcc: public-webappsec, www-style, public-privacy, public-sysapps,
> public-digipub-ig, public-pfwg, public-web-mobile, www-international,
> chairs^1, public-review-announce; Reply-to: public-webapps ]
> This is a Request for Comments (RfC) for WebApp's "Manifest for web
> application" specification:
> <http://www.w3.org/TR/2015/WD-appmanifest-20150212/>
> "This specification defines a JSON-based manifest that provides
> developers with a centralized place to put metadata associated with a
> web application."
> This Working Draft is intended to meet the wide review requirements as
> defined in the 2014 Process Document. The deadline for comments is 5
> March 2015 and all comments should be sent to the public-webapps @
> w3.org<http://w3.org> mail list [Archive] with a Subject: prefix of 
> "[manifest]". The
> next anticipated publication of this specification is a Candidate
> Recommendation. (See [CR-Plan] for the specification's Candidate
> Recommendation status.)
> WebApps welcomes review and comments from all individuals and/or groups
> and we explicitly ask the following groups to review the document and
> to submit comments: WebAppSec, CSS WG (in particular, the "display
> mode"
> media feature), PING, SysApps, Digital Publishing IG, WAI (PF, User
> Agent, Authoring Tools), and I18N WG.
> In addition to substantive comments, to help us get a sense of how much
> review the document receives, we also welcome data about "silent
> reviews", f.ex. "I reviewed section N.N and have no comments".
> -Thanks, AB
> ^1 RfC is the new LCWD TransAnn
> [CR-Plan] <https://github.com/w3c/manifest/issues/308>
> [Archive] <https://lists.w3.org/Archives/Public/public-webapps/>

Reply via email to