Security and Privacy questionnaire for predictable app updating
What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
User agents will be able to know if a manifest update has been applied on an installed PWA or not.
Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
Yes.
How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
There is no information of this type being handled by the feature.
User agents will have the option of showing a UX dialog in case security sensitive fields of the app (name, short_name and icons) change.
Do the features in your specification introduce new state for an origin that persists across browsing sessions?
No.
No.
Yes, this will send the information that a site has changed its manifest, and the user agent can choose to apply that update if they want.
No.
No.
No.
Do features in this specification allow an origin some measure of control over a user agent’s native UI?
Yes. User agents can create their own native UI based on whether the field in the manifest has a different value from what's stored or not.
N/A.
No, it does not make such distinction.
How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
It will not be available in Private Browsing/Incognito mode.
There is no specification written yet.
No.
This feature does not interact with non-"fully active" documents.
N/A.