Then you are just pushing where the uuid is stored up stream another step.
In order to refetch the manifest you will have to remember it’s location. Just use /<uuid>/manifest.json as the manifest location and have the server inject that into manifest file when fetched.
A PWA has lots and lots of issues regarding trackability. start_url is just a very minor part of that. An application that is actually a weird website will be able to track you, there will be Javascript with tons and tons of attack surface for this.
If you don't want tracking, use proper local applications and deny them network access.
This smells like a story Apple shopped out to keep defending their 30 percent racketeering operation. PWAs are better than native apps for privacy and security in almost every single way.
9 comments
[ 2.9 ms ] story [ 24.1 ms ] threadIn order to refetch the manifest you will have to remember it’s location. Just use /<uuid>/manifest.json as the manifest location and have the server inject that into manifest file when fetched.
For example you can just use WebGL for fingerprinting the browser.
If you don't want tracking, use proper local applications and deny them network access.
Native apps aren't much better. The real solution is to use FOSS apps that you can check yourself and trust regardless of pwa or native.
Your browser and device already had APIs to track you long before PWA standard and they still do.
https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-...
https://www.theverge.com/2020/7/25/21338151/instagram-bug-ca...
https://github.com/facebook/facebook-ios-sdk/issues/1374
https://github.com/facebook/facebook-ios-sdk/issues/1427