- From: Kenneth Rohde Christiansen <notifications@github.com>
- Date: Thu, 06 Dec 2018 09:44:17 +0000 (UTC)
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/pull/748/review/182152709@github.com>
kenchris requested changes on this pull request.
> @@ -888,6 +888,19 @@ <h3 id="navigation-scope-security-considerations">
security reasons. It ensures that users are always aware of which
<a>origin</a> they are interacting with.
</p>
+ <p>
+ Despite this, there is still a potential spoofing risk, if an
+ installed app pretends to navigate to an out-of-scope site on another
+ <a>origin</a>. The site shows a fake version of the user agent's
+ prominent out-of-scope UI, indicating to the user that it is on
+ another origin, while in reality, the user has never navigated away
+ fom the installed app's origin, and the user agent is not showing any
fom -> from
> @@ -888,6 +888,19 @@ <h3 id="navigation-scope-security-considerations">
security reasons. It ensures that users are always aware of which
<a>origin</a> they are interacting with.
</p>
+ <p>
+ Despite this, there is still a potential spoofing risk, if an
+ installed app pretends to navigate to an out-of-scope site on another
+ <a>origin</a>. The site shows a fake version of the user agent's
+ prominent out-of-scope UI, indicating to the user that it is on
+ another origin, while in reality, the user has never navigated away
+ fom the installed app's origin, and the user agent is not showing any
+ out-of-scope UI. User agents MAY wish to ensure that the out-of-scope
+ UI is not shown in a location that can be spoofed by the installed
+ app when the UI is not being shown, however, due to the nature of the
punctuation before However, might make it easier to read
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/748#pullrequestreview-182152709
Received on Thursday, 6 December 2018 09:44:41 UTC