- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Tue, 4 Nov 2025 13:20:23 -0800
- To: peace@acm.org
- Cc: public-security@w3.org
- Message-ID: <CANh-dX=CKMeXgpmkysy7G9xFUNpaLDOk5Z=AJWadd+n2asx8+g@mail.gmail.com>
Not exactly a security review, but the TAG discussed this in https://github.com/w3ctag/design-reviews/issues/888, https://github.com/w3ctag/design-reviews/issues/946, and https://github.com/w3ctag/design-reviews/issues/1051. Tom, it would be helpful if you could lay out the attack you're seeing. Is it new, or already discussed in https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/WebInstall/explainer-background-doc.md#accessibility-privacy-and-security-considerations ? Jeffrey On Tue, Nov 4, 2025 at 12:52 PM Tom Jones <thomasclinganjones@gmail.com> wrote: > https://aka.ms/webinstall > > *Specification* > https://github.com/w3c/manifest/pull/1175 > > *Design docs* > > > https://docs.google.com/document/d/12nSXJLm8mW0gWZ_yjlXfrV8r9gwJliVt4WVa-209-KA/edit?tab=t.0 > > *Summary* > Allows a website to install a web app. The API provides 3 signatures, with > 0, 1, and 2 parameters, respectively. When invoked, the website installs > either itself, or another site from a different origin, as a web app > (depending on the provided parameters). All 3 signatures will be > experimented with in parallel. > *Terminology - A site installing itself is a "current document install". *A > site installing another site is a "background document install".* > > Peace ..tom jones >
Received on Tuesday, 4 November 2025 21:20:40 UTC