Can any web site host a manifest for any app?

[benfrancis]

This question was prompted by discussion around #183 (start_url vs. start_path).

Separate from the question of whether there can be multiple apps per origin and multiple origins per app (#114) is the question of whether only the app owner should be able to host a manifest for their app.

If anyone can host a manifest for any app then it is much easier for app stores/directories to create a directory of apps because it doesn't require the involvement of the content creators. For example, growth of the Firefox Marketplace may be slower than growth of the everything.me directory because the former requires the involvement of content creators whereas the latter does not.

But a risk of allowing off-origin manifests is that a malicious app store could try to charge to install otherwise free apps by creating their own manifests for third party apps without the permission of the app owners.

It's also not clear how this would work from a UI point of view in the user agent in the absence of an app installation/requestBookmark() API. Would bookmarking an app directory listing actually install/bookmark the app referenced by the manifest instead of the listing page for example?

[marcoscaceres]

But a risk of allowing off-origin manifests is that a malicious app store could try to charge to install otherwise free apps by creating their own manifests for third party apps without the permission of the app owners.

I don't see this as a problem, tbh. If someone sets up a subscription service "Best Apps Evar" and they want to charge to catalog them, create icons for them, and create/maintain the metadata, then all the power to them. I would probably pay for this service if it provides convenience. Or even a custom "appify that crappy web app! enter URL here: ".

Having said that, we do need to deal with developers who don't want this to happen - or for the abuse case you mention - through the Referer: or Origin: header. When the request is made, it should be clear that the Referer: for when fetching the resource at the start_url must be the manifest's URL. That way, you know which service is being used. The request can then also be intervened through CORS. Need to investigate this tho.

It's also not clear how this would work from a UI point of view in the user agent in the absence of an app installation/requestBookmark() API. Would bookmarking an app directory listing actually install/bookmark the app referenced by the manifest instead of the listing page for example?

Yes. It might be that this is exactly what prevents the "best apps ever" thing from happening. Without an API that you can bind to an install button, then all a store can do is say "to install this app, find your 'add to homescreen' button". This will lead to either browser sniffing, etc. to make this convenient/obvious for users (as already happens in iOS Safari... and erroneously on Chrome for iPhone, where 'add to homescreen' call-outs are added to web pages even though Chrome doesn't provide this feature). The flip side is install buttons everywhere on the Web... which also sucks.

At least for v1, I think we should see how we go without having the API. We can incrementally add it if the UX people can't crack this with some clever UI thing.

[marcoscaceres]

Closing. @benfrancis, feel free to open again if you have any followup comments.