Re: [w3c/manifest] Security Risks in Web App Off-scope Navigation (#747) from Sebastian Kippe on 2018-12-05 (public-webapps-github@w3.org from December 2018)

From: Sebastian Kippe <notifications@github.com>
Date: Wed, 05 Dec 2018 03:45:10 -0800
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/747/444457425@github.com>

The comment you cite does not address the issue for off-scope navigation. Can you explain why out-of-scope content absolutely requires use of the entire screen? Fake OAuth pages are definitely the main attack vector here, and have been from the beginning with installed browser apps using redirect OAuth flows.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/747#issuecomment-444457425

Received on Wednesday, 5 December 2018 11:45:32 UTC