Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need to specify client of image objects when fetching #465

Closed
marcoscaceres opened this issue Apr 26, 2016 · 21 comments
Closed

Need to specify client of image objects when fetching #465

marcoscaceres opened this issue Apr 26, 2016 · 21 comments
Labels

Comments

@marcoscaceres
Copy link
Member

@annevk wrote, re: obtaining image objects:

Referrer policy also needs to come from somewhere. I guess if you don't have a client you'll need some integration with the referrer policy specification then...

@marcoscaceres
Copy link
Member Author

Moving @annevk's comments from #443 here...

Yeah, maybe that's better. Although it's a little weird since you can be associated with multiple documents, right?

Not necessarily. The perhaps short-sighted view is that "installation" and downloading of the icons is based on a single active Document...

And that document might disappear and then another one might appear?

If the Document vanishes, then the installation process would stop (this is not currently captured in the spec).

Would that mean you get a new policy?
How does CSP work today for manifest resources?

It uses the Document's security principle, respecting img-src. See:
https://w3c.github.io/manifest/#content-security-policy-of-image-objects

@annevk
Copy link
Member

annevk commented Apr 27, 2016

A manifest is only useful when you "install"? Oh my. We wouldn't use it for favicons and such?

@marcoscaceres
Copy link
Member Author

A manifest is only useful when you install? We wouldn't use it for favicons and such?

Probably not, no. They are only really useful for representing a larger grouping of URLs ("an app" or "a site"). On a page-by-page basis, it seems fine to keep using favicons and link rel=icon.

@annevk
Copy link
Member

annevk commented Apr 27, 2016

It just sounds so... pointless. And a bit of a pain from a security perspective if it's anchored neither here nor there. Though maybe document-that-linked-to-it-first is good enough.

@benfrancis
Copy link
Member

Probably not, no. They are only really useful for representing a larger grouping of URLs ("an app" or "a site"). On a page-by-page basis, it seems fine to keep using favicons and link rel=icon.

FWIW in Firefox OS 2.5 we use icons from a manifest in the URL bar without installation. We assume the manifest icon applies to the whole site whereas a link rel=icon applies to a single page. We fall back to a page icon if a site icon isn't provided.

@marcoscaceres
Copy link
Member Author

On 27 Apr 2016, at 7:16 PM, Anne van Kesteren [email protected] wrote:

It just sounds so... pointless. And a bit of a pain from a security perspective if it's anchored neither here nor there. Though maybe document-that-linked-to-it-first is good enough.

I'd rather it not be pointless. I'm happy the manifest's icons to be used as you suggested. We haven't added that because no products have asked for it. Can't hurt if implementors get it for free.

Will that make it a useful part of the platform?


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub

@annevk
Copy link
Member

annevk commented Apr 27, 2016

Maybe, I think a big problem is that the delivery is late and cannot be relied upon when interpreting a document. If we had something that was guaranteed to be available we could put CORS information in there, CSP, and other things. But the late-binding approach kills it I think.

@annevk
Copy link
Member

annevk commented Apr 27, 2016

(To be clear, I'm pretty sure I mentioned that to you before, though maybe not in specific enough terms.)

@jakearchibald
Copy link

@annevk

It just sounds so... pointless.

The benefit of the manifest is it's fetched when it's needed, which may be "never" in most visits. Previously we had a big ol' dump of meta-crap sitting in the <head> of every page, delaying first render.

@annevk
Copy link
Member

annevk commented May 9, 2016

@jakearchibald except you need icons and such each visit.

@jakearchibald
Copy link

Yeah, so that stuff is still needed in the head. So theme color & an icon (if it isn't /favicon.ico) in the head, then the rest, including bigger icons, in the manifest.

@annevk
Copy link
Member

annevk commented May 10, 2016

Still seems rather pointless to have a whole new resource for just that including all the complexity it brings. Might as well insert some additional icons later in the main document. Especially given that we need something manifest-like for origins that is available straight away.

@annevk
Copy link
Member

annevk commented May 10, 2016

Also, you're assuming an awful lot about the particular UI of a user agent. What if browsers with more room for the favicon return? What if the user agent supports higher resolution there? All those would require the icon to be available together with the main resource.

@jakearchibald
Copy link

Fair, it would need to be downloaded earlier in that case, but at least it's cachable and doesn't need to block content render.

@annevk
Copy link
Member

annevk commented May 10, 2016

Can you really say that a couple of extra elements in <head> cause a measurable delay? It seems that would be tiny compared to the several megabytes of a page.

@jakearchibald
Copy link

https://github.com/h5bp/mobile-boilerplate/blob/master/index.html it was starting to get pretty bad.

@annevk
Copy link
Member

annevk commented May 10, 2016

So once you hit 11 icons it's time for a new format that lists 10 of them?

@marcoscaceres marcoscaceres reopened this Jun 27, 2016
@marcoscaceres marcoscaceres changed the title Need to specify client of image objects when fetching... Need to specify client of image objects when fetching (an environment settings object) Jun 27, 2016
@marcoscaceres
Copy link
Member Author

Talked to @annevk. Reopened so we have a correct reference to an environment settings object (one that maps to a concrete thing in the implementation). Gecko does not currently implement actual acquisition of image objects from the manifest - so I don't have a concrete example of what we do... (I had a WIP patch that used a <picture> element to figure out the icon selection... will try to dig it up).

@marcoscaceres marcoscaceres changed the title Need to specify client of image objects when fetching (an environment settings object) Need to specify client of image objects when fetching Apr 18, 2019
@marcoscaceres marcoscaceres removed the P1 label Apr 18, 2019
@aarongustafson
Copy link
Collaborator

@marcoscaceres Should this move over with ImageResource?

@marcoscaceres
Copy link
Member Author

Yes, it should be specified as part of the fetching model.

@marcoscaceres
Copy link
Member Author

Closing as fetching an image resource is specified in terms of fetch. If there are specific bugs or clarifications needed (e.g., #851), then can deal with them separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants