- From: PWAuser <notifications@github.com>
- Date: Thu, 06 Dec 2018 15:16:18 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/issues/747/445065448@github.com>
Thanks very much, mgiuca. We think we have consensus for the most part. Designing a general solution may not be trivial, but we think the security risk and goal should be clear to UA vendors and readers of the Spec. In particular, we suggest the security goal be made clear that, it should be practically easy for users to judge whether any UI component/notice in the context of Web App is owned by the Web App or UA. In terms of actionable solution, we would like to make one little bit clarification here. We think a possible guideline could be, the UA should not reclaim any pixels back from the (standalone) Web App. Specifically, the UA never displays any UI component/notice inside the display area of Web App. When a UA wants to show any critical UI notice, switch the user to the UA app (which is now in the foreground) and display it there. (The Operating System should have the responsibility to make it clear what app is running in the foreground.) After the display, guide the users back to the Web App, so as to eliminate any breaking of the user experience. This tentative solution is open to discussions or evaluation. But making the security risk and goal clear will bring in solutions from the community. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/747#issuecomment-445065448
Received on Thursday, 6 December 2018 23:16:39 UTC