Re: [w3c/manifest] Security Risks in Web App Off-scope Navigation (#747) from Ben Francis on 2020-05-27 (public-webapps-github@w3.org from May 2020)

From: Ben Francis <notifications@github.com>
Date: Wed, 27 May 2020 09:17:26 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/747/634775863@github.com>

FWIW I believe this issue can in fact be addressed, though likely after CR as it requires adding new features to the specification and/or implementations of the specification.

Specifically:
1. Deep linking
2. More complex scope definition

This is a long time ago now, but in 2014 I carried out a [study](https://github.com/w3c/manifest/issues/114#issuecomment-62952898) of the Alexa Top 500 websites, Chrome Web Store and Firefox Marketplace.

We subsequently spent a lot of time [discussing](https://github.com/w3c/manifest/issues/114#issuecomment-63064364) potentially more sophisticated ways of defining the scope of an application, which I won't go into here in depth but which never quite reached a conclusion.

The way I believe this issue can be (mostly) fixed is:
1. A more sophisticated definition of scope with one or more lists of paths, including from different origins, and possibly differentiating between URLs that should be captured by the application context and URLs which should just stay in the application context if navigated from it
2. Have user agents fully support deep linking such that out-of-scope navigation from inside an application context *do* get kicked out to a new browsing context (or different application context) but in-scope navigation in a browsing context also get captured by a corresponding application context
3. Keeping the current requirement of a rudimentary URL bar in the application contexts for some edge cases

The phishing risk can never be completely eliminated because a standalone app can always fake a third party login page from its own origin, but it can certainly be greatly reduced by having out-of-scope navigation happen entirely in the browser UI which has much more sophisticated protections in place.

I personally really dislike the current popover style solution for out-of-scope navigation and think a better user experience would ultimately be to kick all out-of-scope navigation out to the browser, but also have installed application contexts capture in-scope navigation from the browser.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/747#issuecomment-634775863

Received on Wednesday, 27 May 2020 16:17:38 UTC