Intent to Ship: CSP rule 'manifest-src'

59 views
Skip to first unread message

Kenneth Rohde Christiansen

unread,
May 6, 2015, 6:41:18 AM5/6/15
to blink-dev, mar...@marcosc.com

Contact emails

kenneth.r.c...@intel.com


Spec

https://w3c.github.io/webappsec/specs/content-security-policy/#directive-manifest-src


Summary

Allows setting a CSP policy for fetching the Web App Manifest


Link to “Intent to Implement” for Web App Manifest:

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/qz2pd3MFPKg


Is this feature supported on all five Blink platforms (Windows, Mac, Linux, Chrome OS, WebView, Android)?

Yes


Compatibility Risk

Small. The feature has been deeply discussed with the WebAppSec group and the editors of the Web App Manifest, and it is now being implemented in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1089255


Developers are also having problems with it not being enabled in Chrome currently: https://github.com/h5bp/html5boilerplate.com/issues/133#issuecomment-97743407


Link to entry on the feature dashboard

https://www.chromestatus.com/features/5679927315660800

Philip Jägenstedt

unread,
May 6, 2015, 7:58:59 AM5/6/15
to Kenneth Rohde Christiansen, blink-dev, mar...@marcosc.com
LGTM

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

mar...@marcosc.com

unread,
May 6, 2015, 11:42:40 AM5/6/15
to blin...@chromium.org, mar...@marcosc.com


On Wednesday, May 6, 2015 at 6:41:18 AM UTC-4, Kenneth Rohde Christiansen wrote:

Compatibility Risk

Small. The feature has been deeply discussed with the WebAppSec group and the editors of the Web App Manifest, and it is now being implemented in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=108925


Hope to land on Gecko side in the next two weeks. 

Joe Medley

unread,
May 6, 2015, 12:23:23 PM5/6/15
to mar...@marcosc.com, blink-dev
Do you have a guess about which version you want to ship in?

Joe Medley | Technical Writer, DevPlat | jme...@google.com | 816-678-7195

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Marcos Caceres

unread,
May 6, 2015, 1:00:27 PM5/6/15
to Joe Medley, blink-dev



On May 6, 2015 at 12:23:19 PM, Joe Medley (jme...@google.com) wrote:
> > Do you have a guess about which version you want to ship in?

Gecko version? Hopefully 41. 

Kenneth Rohde Christiansen

unread,
May 6, 2015, 5:19:34 PM5/6/15
to Joe Medley, mar...@marcosc.com, blink-dev

The feature is implemented already, and I already have a patch enabling it by default, so my answer would be the earliest release possible

Kenneth

Mike West

unread,
May 11, 2015, 4:49:30 AM5/11/15
to Kenneth Rohde Christiansen, blink-dev, mar...@marcosc.com
On Wed, May 6, 2015 at 12:41 PM, Kenneth Rohde Christiansen <kenneth.ch...@gmail.com> wrote:

Compatibility Risk

Small. The feature has been deeply discussed with the WebAppSec group and the editors of the Web App Manifest, and it is now being implemented in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1089255


Developers are also having problems with it not being enabled in Chrome currently: https://github.com/h5bp/html5boilerplate.com/issues/133#issuecomment-97743407


Non-OWNER's LGTM. This directive isn't yet part of an official draft of CSP3, but it's been in the editor's draft for months now, and there seems to be clear agreement that it's needed across the browsers that have implemented manifests.

-mike

Dimitri Glazkov

unread,
May 12, 2015, 7:40:28 PM5/12/15
to Mike West, Kenneth Rohde Christiansen, blink-dev, mar...@marcosc.com
LGTM2.

:DG<

Jochen Eisinger

unread,
May 12, 2015, 7:59:46 PM5/12/15
to Dimitri Glazkov, Mike West, Kenneth Rohde Christiansen, blink-dev, mar...@marcosc.com
lgtm3

On Wed, May 13, 2015 at 9:40 AM Dimitri Glazkov <dgla...@chromium.org> wrote:
LGTM2.

:DG<

Joe Medley

unread,
May 14, 2015, 12:01:32 PM5/14/15
to blin...@chromium.org, mar...@marcosc.com
M44 or M45?
Reply all
Reply to author
Forward
0 new messages