Should we require `manifestid`?

[mikewest]

Copy/pasting from @LiaHiscock's comments in #4 (comment):

"""
Re. the manifestid requirement, that doc looks a bit out of date. Let me try to clarify. Manifest id is an app's unique identifier, and how we determine if an app is already installed, should be updated, etc. Unfortunately, id is not a required manifest field, so only about 4% of apps declare one. For the other 96% of apps, we "compute" an id using the start_url field, see starbucks.com's 'application' tab.

However, this opens the door for security issues, because if the developer changes their start_url, their site will appear to the browser as a completely new app that can be installed (multiple apps-foot-gun situation mentioned in Dan's doc), and existing installs under the former start_url become orphaned.

Dan was a big proponent of the id requirement for the API. IIRC our goal there was that the 2 parameter signature helps with backwards compatibility for existing apps without ids, and ideally the 1 parameter signature usage will grow as more apps adopt ids.
"""

[marcoscaceres]

Be good to remove that for now.

[christianliebel]

The manifest ID situation is very unfortunate.

I do understand that vendors want to prevent developers from making mistakes, and we certainly could ask developers to simply add an "id" field to their manifest while they are adding the <install> element.

At the same time, the cross-vendor consensus is that all web pages should be installable, which means they don't even need to have a manifest.

@dmurph: Does the PWA migration proposal provide a way for developers to get out of this situation? If yes, this would be a strong argument in favor of removing the ID requirement.

[dmurph]

Yes, the explainer here (ccing @ mkruisselbrink) provides a way for developers to fix this.

My main thought is that without providing the manifest id, the user agent MUST always fetch the (install url, then the) manifest. with the id, the user agent can just know it's already installed and offer 'launch'. Do we think that stores would have incentive to set this so their store works better and shows that an app is installed already quickly? Probably... I could be convinced.

This gets cheaper if we use an alternative I made at #14, where we use a manifestUrl instead. but IDK if that is better - we can discuss there I guess?