Precise the frequency at which re-validation of app/URL associations should occur

[camillelamy]

Hi,

As part of the Chrome Web Platform Security & Privacy review process, we have reviewed your intent to prototype. We have several questions, in particular around re-validation of PWA-url associations.

Could you precise at which frequency the re-validation should happen? Should this re-validation happen in the background or when the user navigates to an URL with an existing association that has not been re-validated in a while?

[LuHuangMSFT]

Hello. Thank you for the review.

Short answer: there is no minimum frequency for the re-validation. The maximum frequency is 1/day. Revalidation will happen when the user navigates to an URL with an existing association that has not been re-validated in a while. "In a while" is 1 day as revalidation will piggy-back onto the manifest update mechanism.

Currently our design states that:

The association between a PWA and an origin must be revalidated:

• when a PWA is installed
• when a PWA is updated (manifest update)
• periodically to pick up changes in the web-app-origin-association file
  (design doc link)

So the primary mechanism for revalidation after app install is manifest update.

• The maximum interval between revalidation for any given app is not deterministic as manifest update is trigged by top level navigations within an app's scope.
  • If the user does not navigate to within the app's scope, manifest update does not occur and so the association revalidation will not occur
  • If the association is no long valid and a link activation causes an app to be launched - this can occur only once as it is a navigation that will trigger manifest update.
    • This can happen multiple times if the association becomes invalid in the same day that it was last re-validated.

• periodically to pick up changes in the web-app-origin-association file

We are removing this mechanism from the design. Downloading files in the background on a timer without explicit action from the user seems problematic (eg. a bug in poll frequency.)