Re: one app installing a foreign app - did that ever show up on a security review? from Tom Jones on 2025-11-04 (public-security@w3.org from November 2025)

From: Tom Jones <thomasclinganjones@gmail.com>
Date: Tue, 4 Nov 2025 14:44:42 -0800
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: peace@acm.org, public-security@w3.org
Message-ID: <CAK2Cwb7o8MBkXHR9F2eBksRP0b=Z3r6YacV9A3LaJ7rHrcQANg@mail.gmail.com>

that section seems to be self contradictory (no cross-origin), but then i
really cannot parse sections like the following:

*The end user goes to the homepage* in the https://productivitysuite.com's
origin and clicks on the button to install the presentation application. As
this is a *background document* (not the current document the user is
interacting with) and the origin does not have permission to install apps,
a permission prompt will appear. If this permission is granted for the
origin, it can now install apps. After this permission prompt, the second
prompt where the user confirms the installation appears.

Peace ..tom jones


On Tue, Nov 4, 2025 at 1:20 PM Jeffrey Yasskin <jyasskin@google.com> wrote:

> Not exactly a security review, but the TAG discussed this in
> https://github.com/w3ctag/design-reviews/issues/888,
> https://github.com/w3ctag/design-reviews/issues/946, and
> https://github.com/w3ctag/design-reviews/issues/1051.
>
> Tom, it would be helpful if you could lay out the attack you're seeing. Is
> it new, or already discussed in
> https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/WebInstall/explainer-background-doc.md#accessibility-privacy-and-security-considerations
> ?
>
> Jeffrey
>
> On Tue, Nov 4, 2025 at 12:52 PM Tom Jones <thomasclinganjones@gmail.com>
> wrote:
>
>> https://aka.ms/webinstall
>>
>> *Specification*
>> https://github.com/w3c/manifest/pull/1175
>>
>> *Design docs*
>>
>>
>> https://docs.google.com/document/d/12nSXJLm8mW0gWZ_yjlXfrV8r9gwJliVt4WVa-209-KA/edit?tab=t.0
>>
>> *Summary*
>> Allows a website to install a web app. The API provides 3 signatures,
>> with 0, 1, and 2 parameters, respectively. When invoked, the website
>> installs either itself, or another site from a different origin, as a web
>> app (depending on the provided parameters). All 3 signatures will be
>> experimented with in parallel.
>> *Terminology - A site installing itself is a "current document install". *A
>> site installing another site is a "background document install".*
>>
>> Peace ..tom jones
>>
>

Received on Tuesday, 4 November 2025 22:45:00 UTC