Re: [w3c/manifest] Security Risks in Web App Off-scope Navigation (#747)

Hi,

Thanks for your report. This is a well-known issue but essentially not actionable, since the whole point of `"display": "standalone"` is to hide the browser UI, any site installed in such a way can simply recreate fake browser UI inside its relatively bare window.

We got this same report on the Chromium issue tracker yesterday and I'll paste the response from the Chromium side by @dominickng:

> This vulnerability boils down to: once installed, any PWA may phish the user because they are displayed without an omnibox.
>
> We have a number of mitigations in place for this. Installing a PWA requires that the user explicitly consents to a prompt that contains the origin of the site, its title, and the icon. This consent stage must be triggered by a user gesture, and is regarded as the point of trust for the origin.
>
> Once installed and running, standalone PWAs have a persistent notification in the system tray that shows their origin.

This is mostly an issue for individual user agents, as it affects their UI, which can't be specified by normative language in the spec. The concrete suggestion here is to upgrade the non-normative recommendation to UI that is "hard to counterfeit", which may be worth adding to the spec, but as mentioned above, not really actionable.

> As an example on Android, instead of showing the “prominent UI” directly in the activity of the Web App, it could be secure to switch to the mobile browser which then shows the “prominent UI”. 

We actually had that behaviour in the spec previously (see #701). After a lot of debate, we changed it to require not opening the site in the separate browser (because it breaks the normal navigation flow of the web). User agents are required to open links in the app context.

Changing this requirement wouldn't really help. A full stand-alone app on mobile would simply be able to spoof the browser UI and the user would think they're in the full-screen browser.

Basically, there is no way to make "unspoofable" UI if we give the app control over the entire window/screen, and that's the whole point of PWAs. I'm going to close this because it's non-actionable on the spec. Feel free to continue speaking with individual browser vendors about improving their UI.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/747#issuecomment-443992765

Received on Tuesday, 4 December 2018 06:58:57 UTC