- From: Alex Lu <notifications@github.com>
- Date: Fri, 01 May 2015 14:40:54 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Message-ID: <w3c/manifest/issues/272/98245699@github.com>
> Make manifest metadata authoritative (a user agent ignores a page's meta tags): this gives us the ability to perform updates, etc. reliably without relying on the document from which the page was installed. I agree with this too. > An evil developer creates a manifest at http://evil.com/manifest.json which has a start_url of http://irccloud.com/index.html They submit the URL http://evil.com/manifest.json to the Firefox Marketplace or Windows Store to be featured as an app, costing $1. A user installs the app from the app store, without reference to any page of the app The evil developer changes the start_url of the manifest http://evil.com/login.html The user updates the app, launches it and logs into what they think is IRCCloud The evil developer puts an ad in the splash screen of the app suggesting the user try out the new and improved product at evil2.com The evil developer has $1, the user's username and password, and has them using their new evil2 product Can't a developer already do something worse than this? - A malicious developer submits and app with a WebView pointing to foo.com - foo.com automatically redirects the user to http://irccloud.com/index.html - A user installs the app from the Store. - The malicious developer then changes foo.com to become malicious. - The user launches the app (and doesn't even have to update it), and logs into what they think is IRCCloud. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/272#issuecomment-98245699
Received on Friday, 1 May 2015 21:41:21 UTC