Re: [w3c/manifest] Added security consideration advice for out-of-scope UI spoofing. (#748)

@marcoscaceres commented on this pull request.



> @@ -532,6 +532,19 @@ <h3 id="navigation-scope-security-considerations">
           security reasons. It ensures that users are always aware of which
           <a>origin</a> they are interacting with.
         </p>
+        <p>
+          Despite this, there is still a potential spoofing risk, if an
+          installed app pretends to navigate to an out-of-scope site on another
+          <a>origin</a>. The site shows a fake version of the user agent's
+          prominent out-of-scope UI, indicating to the user that it is on
+          another origin. However, in reality, the user has never navigated
+          away from the installed app's origin, and the user agent is not
+          showing any out-of-scope UI. User agents MAY wish to ensure that the

To be clear, I think all we can do is really just point out that this can happen, but there is no much we can do about it. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/748#discussion_r433094533

Received on Monday, 1 June 2020 08:00:38 UTC