Hosted applications -> Hosted web applications

index.html

@@ -70,9 +70,9 @@
           The figure shows the overlap between traditional web applications,
           hosted web applications, and packaged applications. Web applications
           make use of standard Web technologies but don't make use of an
-          application manifest. On the other hand, hosted applications make use
-          of an application manifest, while packaged applications have both an
-          application manifest and are packaged using [[!ZIP]].
+          application manifest. On the other hand, hosted web applications make
+          use of an application manifest, while packaged applications have both
+          an application manifest and are packaged using [[!ZIP]].
         </figcaption>
       </figure>
       <p>
@@ -600,8 +600,8 @@ <h3>
           <li>If <var>present</var> is <var>true</var>:
             <ol>
               <li>Let <var>value</var> be the result of calling the
-              [[\GetOwnProperty]] internal method of <var>manifest</var> passing
-              <var>key</var> as the argument.
+              [[\GetOwnProperty]] internal method of <var>manifest</var>
+              passing <var>key</var> as the argument.
               </li>
               <li>Let <var>tag</var> be <a>ToString</a>(<var>value</var>).
               </li>
@@ -1106,6 +1106,189 @@ <h3>
           </p>
         </section>
       </section>
+      <section>
+        <h2>
+          Media Type
+        </h2>
+        <p>
+          This section contains the required text for MIME media type
+          registration with IANA.
+        </p>
+        <p>
+          The <dfn>media type for an application manifests</dfn> is
+          <code>application/webapp-manifest+json</code>.
+        </p>
+        <p>
+          If the protocol over which the manifest is transferred supports the
+          [[!MIME]] specification (e.g. [[!HTTP11]]), it is RECOMMENDED that
+          the application manifest be labeled with the <a>media type for an
+          application manifests</a>.
+        </p>
+        <dl>
+          <dt>
+            Type name:
+          </dt>
+          <dd>
+            application
+          </dd>
+          <dt>
+            Subtype name:
+          </dt>
+          <dd>
+            webapp-manifest+json
+          </dd>
+          <dt>
+            Required parameters:
+          </dt>
+          <dd>
+            N/A
+          </dd>
+          <dt>
+            Optional parameters:
+          </dt>
+          <dd>
+            N/A
+          </dd>
+          <dt>
+            Encoding considerations:
+          </dt>
+          <dd>
+            Same as for application/json
+          </dd>
+          <dt>
+            Security considerations:
+          </dt>
+          <dd>
+            <p>
+              As the application manifest format is JSON and will commonly be
+              encoded using [[!!Unicode]], the security considerations
+              described in [[!JSON]] and [[!UTR36]] apply. In addition,
+              implementers need to impose their own implementation-specific
+              limits on the values of otherwise unconstrained member types,
+              e.g. to prevent denial of service attacks, to guard against
+              running out of memory, or to work around platform-specific
+              limitations.
+            </p>
+            <p>
+              The manifest document allows authors, through the permissions and
+              required_features, to request permission to enable security
+              sensitive APIs. As these APIs are outside the scope of this
+              specification, significant caution needs to be taken when
+              granting an application the capability to use a feature. Features
+              themselves define their own security considerations.
+            </p>
+            <p>
+              Web applications will generally contain ECMAscript, HTML, CSS
+              files, and other media, which are executed in a sand-boxed
+              environment. As such, implementers need to be aware of the
+              security implications for the types they support. Specifically,
+              implementers need to consider the security implications outlined
+              in the [[!CSS-MIME]] specification, the [[!ECMAScript-MIME]]
+              specification, and the [[!HTML-MIME]] specification.
+            </p>
+            <p>
+              As web applications can contain content that is able to
+              simultaneously interact with the local device and a remote host,
+              implementers need to consider the privacy implications resulting
+              from exposing private information to a remote host. Mitigation
+              and in-depth defensive measures are an implementation
+              responsibility and not prescribed by this specification. However,
+              in designing these measures, implementers are advised to enable
+              user awareness of information sharing, and to provide easy access
+              to interfaces that enable revocation of permissions.
+            </p>
+            <p>
+              As this specification relies on the standardized heuristics for
+              determining the content type of files defined in the [[!SNIFF]]
+              specification, implementers need to consider the security
+              considerations discussed in the [[!SNIFF]] specification.
+            </p>
+            <p>
+              As this specification allows for the declaration of IRIs within
+              certain members of a the application manifest, implementers need
+              to consider the security considerations discussed in the [IRI]
+              specification. Implementations intending to display <abbr title=
+              "Internationalized Resource Identifiers">IRIs</abbr> and
+              <abbr title="Internationalized domain name">IDNA</abbr> addresses
+              found in the application manifest are strongly encouraged to
+              follow the security advice given in [[!UTR36]].
+            </p>
+            <p>
+              In addition, user agents need to be careful about trusting path
+              components found in the manifest. Such path components might be
+              interpreted by operating systems as pointing at security critical
+              files outside the browsing environment proper, and naive
+              unpacking of zip packages into the file system might lead to
+              undesirable and security relevant effects, such as overwriting of
+              system files.
+            </p>
+          </dd>
+          <dt>
+            Applications that use this media type:
+          </dt>
+          <dd>
+            Web browsers
+          </dd>
+          <dt>
+            Additional information:
+          </dt>
+          <dd>
+            <dl>
+              <dt>
+                Magic number(s):
+              </dt>
+              <dd>
+                N/A
+              </dd>
+              <dt>
+                File extension(s):
+              </dt>
+              <dd>
+                .webapp
+              </dd>
+              <dt>
+                Macintosh file type code(s):
+              </dt>
+              <dd>
+                TEXT
+              </dd>
+            </dl>
+          </dd>
+          <dt>
+            Person &amp; email address to contact for further information:
+          </dt>
+          <dd>
+            The <a href="http://www.w3.org/2012/sysapps/" rel="nofollow">System
+            Applications Working Group</a> can be contacted at <a href=
+            "http://lists.w3.org/Archives/Public/public-sysapps/" rel=
+            "nofollow">[email protected]</a>.
+          </dd>
+          <dt>
+            Intended usage:
+          </dt>
+          <dd>
+            COMMON
+          </dd>
+          <dt>
+            Restrictions on usage:
+          </dt>
+          <dd>
+            none
+          </dd>
+          <dt>
+            Author:
+          </dt>
+          <dd>
+            W3C's System Application Working Group.
+          </dd>
+          <dt>
+            Change controller:
+          </dt>
+          <dd>
+            W3C.
+          </dd>
+        </dl>
+      </section>
     </section>
     <section>
       <h2>
@@ -1867,7 +2050,7 @@ <h2>
           Manifest
         </h2>
         <p>
-          Inside an application package, the <dfn>valid application manifest
+          Inside a packaged application, the <dfn>valid application manifest
           filename</dfn> is <code>manifest.webapp</code>.
         </p>
         <p>