Re: [w3c/manifest] Security Risks in Web App Off-scope Navigation (#747) from Ben Francis on 2020-05-28 (public-webapps-github@w3.org from May 2020)

From: Ben Francis <notifications@github.com>
Date: Thu, 28 May 2020 02:50:48 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/747/635239484@github.com>

> It sounds like your suggestion would remove the ability to display an off-scope page within the application context (except in "some edge cases"?). I agree that would solve the phishing risk, but at the cost of functionality that developers want (i.e., not kicking users out of their app). It would also break key workflows, such as authentication (maybe these are the edge cases you're talking about).

My suggestion is to define a more sophisticated mechanism for defining scope to enable both the main application scope (which would capture navigations from outside the application scope for deep linking purposes) but also `stay_in_app` scope (where a whitelist of scopes, including from different origins, would remain in the application context if navigated to from inside the application context). Names to be subject to extensive bikeshedding.

For example...

```
{
"start_url": "https://calendar.google.com/calendar/r",
"scope": {
"capture": ["/calendar"],
"stay_in_app": ["https://accounts.google.com"]
}
}
```

In the above example, accounts.google.com is whitelisted by the calendar application so doesn't kick the user out to the browser, but navigating to the rest of the web does. This strikes the balance between what developers want (not kicking the user out to the browser to authenticate) and what I believe many users want (doing their web browsing in their choice of fully featured web browser, rather than a dozen different apps with simplified read-only URL bars).

The edge cases I mentioned are more about whether off-origin navigations marked as `stay_in_app` may still want to display the origin to the user in some way as is currently done.

A more complex proposal included both whitelists and blacklists for defining scope, to exclude certain paths from the navigation scope. This is a simplified version of that.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/747#issuecomment-635239484

Received on Thursday, 28 May 2020 09:51:01 UTC