- From: Kenneth Rohde Christiansen <notifications@github.com>
- Date: Wed, 27 May 2020 02:52:50 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 27 May 2020 09:53:03 UTC
@kenchris commented on this pull request.
> @@ -532,6 +532,19 @@ <h3 id="navigation-scope-security-considerations">
security reasons. It ensures that users are always aware of which
<a>origin</a> they are interacting with.
</p>
+ <p>
+ Despite this, there is still a potential spoofing risk, if an
+ installed app pretends to navigate to an out-of-scope site on another
+ <a>origin</a>. The site shows a fake version of the user agent's
+ prominent out-of-scope UI, indicating to the user that it is on
+ another origin, while in reality, the user has never navigated away
+ from the installed app's origin, and the user agent is not showing
+ any out-of-scope UI. User agents MAY wish to ensure that the
+ out-of-scope UI is not shown in a location that can be spoofed by the
+ installed app when the UI is not being shown. However, due to the
+ nature of the user agent's UI being minimal or non-existent for
+ installed apps, this may not be possible.
It could just change how the whole title bar looks... so it is part of that. But that will then be harder with the titlebar customization
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/748#pullrequestreview-419034836
Received on Wednesday, 27 May 2020 09:53:03 UTC