This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 15562 - It's unfortunate that URLs in the manifest must have the same scheme as the manifest itself. This prohibits listing https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js in a manifest that may be served over either http or https and prohibits p
Summary: It's unfortunate that URLs in the manifest must have the same scheme as the m...
Status: RESOLVED WONTFIX
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-15 03:30 UTC by contributor
Modified: 2012-07-18 18:39 UTC (History)
3 users (show)

See Also:


Attachments

Description contributor 2012-01-15 03:30:11 UTC
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html
Multipage: http://www.whatwg.org/C#writing-cache-manifests
Complete: http://www.whatwg.org/c#writing-cache-manifests

Comment:
It's unfortunate that URLs in the manifest must have the same scheme as the
manifest itself. This prohibits listing
https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js in a manifest
that may be served over either http or https and prohibits putting manifests
in data URIs at all.

Posted from: 70.36.140.65
User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.16 (KHTML, like Gecko) Chrome/18.0.1003.1 Safari/535.16
Comment 1 Jeffrey Yasskin 2012-01-15 03:34:49 UTC
Specifically, I was trying to use a manifest to make http://cxx1y-range.googlecode.com/git/paper.html cache jquery for use offline. This file will eventually live in http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2011/ where I only get to control a single file.
Comment 2 Ian 'Hixie' Hickson 2012-02-06 23:35:30 UTC
Manifests in data: URLs makes no sense, since they couldn't be updated, so the cache would never ever be updated even if the server went away altogether, or changed ownership, or whatnot.

Not being able to reference a secure URL from an insecure manifest is a problem, true. It's not really clear to me why you'd bother with encrypting a library if the rest isn't encrypted though. So I don't think this is compelling enough to relax the restriction.

The restriction is primarily intended to protect against the opposite case, an https:// manifest using unencrypted resources.
Comment 3 Jeffrey Yasskin 2012-02-07 07:02:18 UTC
You would update a manifest found in a data: url by refetching the whole document that contained the data: url.

You'd bother with encrypting a library if the rest isn't encrypted so that you can keep the same 'src' attribute for documents that could be accessed over either http or https. Not everyone generates different HTML for serving over SSL vs non-SSL.

But I just wanted to raise the issue. I won't reply further if you still disagree.