Re: [w3c/manifest] Security Risks in Web App Off-scope Navigation (#747)

@skddc:
> The comment you cite does not address the issue for off-scope navigation. Can you explain why out-of-scope content absolutely requires use of the entire screen? Fake OAuth pages are definitely the main attack vector here, and have been from the beginning with installed browser apps using redirect OAuth flows.

Sorry if I wasn't clear. Out-of-scope content absolutely **should not** take up the whole screen. We have a SHOULD (recommendation) in the spec that the user agent show "show a prominent UI element indicating the document URL, or at least its origin" when out of scope.

The problem here is not with out-of-scope pages being able to spoof another site. The problem is that *in-scope* pages, which by definition have no browser UI (otherwise that would defeat the purpose of installable websites), can spoof the user agent's out-of-scope security UI to pretend to be a different off-site URL. That's much less scary, since only a site that the user has explicitly chosen to install can perform this spoofing attack.

@PWAuser:
> Specifically, the users cannot tell whether the Prominent UI is from user agent or the Web App. When this Prominent UI is for critical security notification (i.e., informing the current domain during off-scope navigation), such misleading will cause security consequences, e.g., our reported phishing attacks.

Yes, we've acknowledged that this is an issue. It's just difficult to do anything about it when the whole point of this feature is to give the site (which the user has specifically chosen to install, and thus has placed a certain degree of trust in) as much screen real estate as possible. Whether this can be mitigated depends heavily on the user agent.

> One possible implementation of the suggested design principle could be, any UI component/notice inside the display area of Web App should only be owned by the Web App. When a user agent wants to show users any critical UI notice, guide the user to the user agent’s separate activity and display it there.

Right, but the problem is if the web app owns all the pixels on the screen, then there is no way to display any browser UI once navigated off-scope, other than to reclaim some of those pixels back from the app. By definition, if the UA conditionally claims pixels from the app, the app can spoof that UI when the UA is not claiming those pixels. On mobile, this is especially hard, since the standalone app takes up all of the available space. On desktop, apps typically have a title bar, which we may be able to place this information inside of, but there's very little space there.

I think this discussion could certainly be fleshed out in the security considerations section, but we can't really make any recommendations. I'll reopen this for the purpose of adding non-normative text to [Section 4.1](https://www.w3.org/TR/appmanifest/#navigation-scope).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/747#issuecomment-444695535

Received on Wednesday, 5 December 2018 23:53:12 UTC