15562 2012-01-15 03:30:11 +0000 It's unfortunate that URLs in the manifest must have the same scheme as the manifest itself. This prohibits listing https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js in a manifest that may be served over either http or https and prohibits p 2012-07-18 18:39:24 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other other RESOLVED WONTFIX http://www.whatwg.org/specs/web-apps/current-work/#writing-cache-manifests P3 normal Unsorted 1 contributor ian ian jyasskin mike contributor oldest_to_newest 62725 0 contributor 2012-01-15 03:30:11 +0000 Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html Multipage: http://www.whatwg.org/C#writing-cache-manifests Complete: http://www.whatwg.org/c#writing-cache-manifests Comment: It's unfortunate that URLs in the manifest must have the same scheme as the manifest itself. This prohibits listing https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js in a manifest that may be served over either http or https and prohibits putting manifests in data URIs at all. Posted from: 70.36.140.65 User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.16 (KHTML, like Gecko) Chrome/18.0.1003.1 Safari/535.16 62726 1 jyasskin 2012-01-15 03:34:49 +0000 Specifically, I was trying to use a manifest to make http://cxx1y-range.googlecode.com/git/paper.html cache jquery for use offline. This file will eventually live in http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2011/ where I only get to control a single file. 63783 2 ian 2012-02-06 23:35:30 +0000 Manifests in data: URLs makes no sense, since they couldn't be updated, so the cache would never ever be updated even if the server went away altogether, or changed ownership, or whatnot. Not being able to reference a secure URL from an insecure manifest is a problem, true. It's not really clear to me why you'd bother with encrypting a library if the rest isn't encrypted though. So I don't think this is compelling enough to relax the restriction. The restriction is primarily intended to protect against the opposite case, an https:// manifest using unencrypted resources. 63808 3 jyasskin 2012-02-07 07:02:18 +0000 You would update a manifest found in a data: url by refetching the whole document that contained the data: url. You'd bother with encrypting a library if the rest isn't encrypted so that you can keep the same 'src' attribute for documents that could be accessed over either http or https. Not everyone generates different HTML for serving over SSL vs non-SSL. But I just wanted to raise the issue. I won't reply further if you still disagree.