one app installing a foreign app - did that ever show up on a security review? from Tom Jones on 2025-11-04 (public-security@w3.org from November 2025)

From: Tom Jones <thomasclinganjones@gmail.com>
Date: Tue, 4 Nov 2025 12:52:22 -0800
To: public-security@w3.org
Message-ID: <CAK2Cwb7+qUhhaTA6JeU6xYL8d-V=AH9=KHgMyB0wzoGKayqPtQ@mail.gmail.com>

https://aka.ms/webinstall

*Specification*
https://github.com/w3c/manifest/pull/1175

*Design docs*

https://docs.google.com/document/d/12nSXJLm8mW0gWZ_yjlXfrV8r9gwJliVt4WVa-209-KA/edit?tab=t.0

*Summary*
Allows a website to install a web app. The API provides 3 signatures, with
0, 1, and 2 parameters, respectively. When invoked, the website installs
either itself, or another site from a different origin, as a web app
(depending on the provided parameters). All 3 signatures will be
experimented with in parallel.
*Terminology - A site installing itself is a "current document install". *A
site installing another site is a "background document install".*

Peace ..tom jones

Received on Tuesday, 4 November 2025 20:52:39 UTC