Sorry I had replied but only just realised the discussion had been taken off list
> Does this code enforce that the .xpi we download and attempt to install is actually a search type and not an arbitrary WebExtension Yes, extensions that only define a new search engine will be permitted, the extension will not be able to do anything else. > "Yes" meaning "required", I hope. Yes https is required here > Were there other alternatives considered which do not require modifying web pages with a new meta tag? Nope, this feature was planned mostly as a 1:1 equivalent implementation of the current opensearch implementation to maintain parity between webextensions and opensearch > If you _do_ invent a new one shared with other browser vendors, please > don't use an "x-" prefix in anything new. Thanks, I got notice of others concerns about this as well and have been looped in to discuss this more with standards before shipping. Once we have something agreeable will make sure to update this thread. > I realize that getting this kind of feedback at the time of an intent to ship is at best extremely unsettling, because you've probably done a lot of work on this, and for that I apologize. Not at all, thanks to everyone for their feedback, happy to make sure we get this right before shipping (or not). Cheers Dale On Wed, 19 Feb 2020 at 20:28, Adam Roach <a...@mozilla.com> wrote: > On 2/14/2020 5:05 PM, Daniel Veditz wrote: > > On Fri, Feb 14, 2020 at 11:50 AM Dale Harvey <dhar...@mozilla.com> > wrote: > > > >> We’re proposing a new mime-type [...]: “x-xpinstall” for WebExtension > >> search > >> engines. Example: <link rel=“search” type=“x-xpinstall” href="https:// > >> [...] > > > > This is confusingly similar to "application/x-xpinstall" which we use to > > trigger extension installs from link clicks. Since standard media-type > > syntax is "<type>/<subtype>" some authors will tend to fill in the > > "missing" bit and get it wrong, and others will complain that the syntax > is > > non-standard and broken. > > > > Does this code enforce that the .xpi we download and attempt to install > is > > actually a search type and not an arbitrary WebExtension? If any > extension > > type will work then re-using the full application/x-xpinstall is > > appropriate, but that sounds like it would go against user expectation > and > > might trick users into doing something dangerous. "This page would like > to > > install 'Steal all your data from every page search engine'. OK?" If the > > code does enforce only search type add-ons will it be confusing to use > the > > generic media-type? Or maybe it's OK anyway, since rel="search" is > required > > and can be taken as requiring that subset. > > > > If you _do_ invent a new one shared with other browser vendors, please > > don't use an "x-" prefix in anything new. > > https://tools.ietf.org/html/rfc6648 [2012] (hey -- our very own St. > Peter) > > > I had a response composed, and then realized that Dan had covered most > of what I wanted to say. The only additional point I would like to make > is: unless you're re-using a media type already in use (e.g., > application/x-xpinstall), or planning to run this through a standards > process first, this should look something like > "application/vnd.mozilla.webextension." See > <https://www.iana.org/assignments/media-types/media-types.xhtml> for > details. > > /a > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
