Clarify how manifest image resources are fetched#1171
Clarify how manifest image resources are fetched#1171marcoscaceres wants to merge 10 commits intomainfrom
Conversation
|
My main thoughts here are:
It's hard to know how important keeping this consistent, if there is a requirement out there someone would have here. I think my biggest concern would just be consistency. HOWEVER - I think also we have an effort to decouple the manifest parsing from the document. There are a lot of benefits there too, allowing services to cache data about a manifest & the icons for distribution. But - yeah - not sure what the right answer is here. edit: Having this always go through the document also means that you can hit the serviceworker in an offline setting. |
|
I tend to agree that icon/image fetching should be possible outside of the document the manifest was linked from. There could be all kinds of architecture designs for how to install an application where the functions of downloading, caching and updating icons are delegated to browser chrome or the underlying operating system. In Firefox OS for example I believe at least at one point icons were initially fetched by browser/system chrome to provide a preview but then stored (in IndexedDB) and managed by the separate homescreen application after installation. In general anything that helps decouple app installation from the document is a good thing from my point of view. An edge case I can imagine that could create a problem is if fetching an image resource requires some form of authentication like a cookie being set, but there all kinds of reasons why I think that should be discouraged. FWIW in WebThings Shell we currently fetch icons from system chrome rather than the document, but there's still work to do there around caching and updating images. |
|
I got confirmation too that in WebKit it's done through using there document as well (i.e., CSP applies). So yeah, we should just say, go through the algorithm "fetching an image resource". The problem with decoupling it from the document is that it would break the CSP policies, service worker served icons, etc. |
|
@benfrancis, although rare, there could be a case where the icons might be pulled from a service worker - which seems like a valid thing to do. In such a case, it would need to through the document context to get to the service worker. |
|
The Fetching an image resource algorithm in Image Resource would have to be adjusted. |
|
I think we should push all the fetching to the Image Resource spec. @dmurph, cool with that? |
|
@marcoscaceres ping on this, seems strickly better at least, can we merge? |
|
Checked implementations ahead of merging: Chrome ( Firefox ( WebKit: currently routes manifest image fetches directly to the network process via |
|
@dmurph re: the mode question — the "fetching an image resource" algorithm currently doesn't set a fetch mode, which defaults to
From a security and privacy perspective, I've filed w3c/image-resource#50 to set |
There was a problem hiding this comment.
Pull request overview
This PR updates the Web Application Manifest spec to more explicitly define how manifest image resources (e.g., icons) are fetched, aiming to align fetching behavior with the Image Resource spec’s “fetching an image resource” algorithm.
Changes:
- Clarifies the descriptive text for “manifest image resources”.
- Adds a normative MUST requirement to fetch manifest image resources by running the “fetching an image resource” algorithm.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add optional environment settings object parameter to "processing a manifest" so HTML can pass the document's relevant settings object. - Store the client on the processed manifest for later use. - Replace the bare MUST statement with a proper "fetch a manifest image resource" algorithm that creates a Request with client set, then delegates to "fetching an image resource" from image-resource. - When client is null (no document context), return early. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When HTML invokes "processing a manifest" via the link element, client is the document's relevant settings object. When invoked without a document (e.g., sync install), client is null. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
marcoscaceres
force-pushed
the
sub-resource
branch
from
21d9658 to
d73ab82
Compare
The Web App Manifest spec's "processing a manifest" algorithm now accepts an optional environment settings object (client) parameter, used to set the request client when fetching manifest image resources. This enables CSP and service worker interception for those fetches. Pass the link element's node document's relevant settings object as the client parameter when invoking "process the manifest". See: w3c/manifest#1171 See: w3c/image-resource#50
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Use "or null" instead of "optional" for client parameter type - Remove data-export from client dfn (no external consumers) - Lowercase Fetch internal slot names: destination, client - Use [=request=] (internal concept) not [=Request=] (ambiguous)
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…| var scope - Add informative note after the algorithm explaining it is called during install UI prep or application context creation, not on every page load; references issue #1216 for the normative call site work - Fix step 1 note: |client| is not in scope; replace with |manifest|'s [=application manifest/client=]
|
@marcoscaceres wrote:
Presumably this is during initial installation, but what about when updating? Without the change in this PR it is my understanding that an OS could periodically directly fetch the icon of an already installed app from its icon URL to update an icon in an app launcher (e.g. in an app drawer/home screen/start menu/launchpad/dock) if it wanted to, outside of any browsing context. After this change it will always be necessary to wait for a browsing context to load a document linking to the manifest in order to download an updated icon. Do operating systems provide APIs for an installed web app (or the native browser app providing its application context) to update the icons of apps after installation? I understand the points about CSP policies and the (slightly odd) use case of serving icons from a service worker, but it's kind of a shame to have to make this change because without it it's technically possible for a user agent to ask an OS to install a web app by just providing a manifest. After this change my understanding is the user agent will always have to fetch all of the linked image resources the OS might need itself and hand them over to the OS along with the manifest. |
|
This has come up a few times and it's complicated: What you’re describing introduces an out-of-band fetch path where the OS (or UA on its behalf) can update icons outside a browsing context. The problem with that is it bypasses the origin’s security model (CSP, service workers, fetch behavior, etc.). From a user perspective, that means app identity surfaces (like icons) can change without the site being loaded, and without the protections the developer put in place. In particular, it creates a path for persistent spoofing of installed apps if those resources are ever temporarily compromised, and generally makes behavior harder to reason about. The intent of this change is to keep things consistent:
That does mean the UA needs to fetch and hand assets to the OS, rather than the OS fetching them directly. In practice, I think that's how most platforms behave today... or, at least I hope... will need to check. So while it reduces some flexibility, it avoids introducing a second, less constrained fetch path for security-sensitive resources. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot can you fix the issue causing the CI failure? |
Closes #910
This change (choose at least one, delete ones that don't apply):
What changed
Added
clientparameter to "processing a manifest" — an optional environment settings object. When HTML invokes processing via<link rel="manifest">, this is the document's relevant settings object. When processing without a document (e.g., sync install), it is null.Stored
clienton the processed manifest — so it's available later when image resources need to be fetched.Added "fetch a manifest image resource" algorithm — creates a Request with:
src"image""cors"(see w3c/image-resource#50)Clarified the HTML invocation context — the "Processing without a document" section now explains when
clientis the document's relevant settings object vs. null.Implementation commitment
img-srcdirectives and service workers do not apply.DownloadImageInFrame(). Service workers can intercept (confirmed by @dmurph). Does not explicitly set a fetch mode.window.fetch()through the content window. CSP and service workers apply. Firefox explicitly setsmode: "cors".Related
corsin the Image Resource spec's algorithmPerson merging, please make sure that commits are squashed with one of the following as a commit message prefix:
chore:editorial:BREAKING CHANGE:Preview | Diff