Re: [w3c/manifest] Security Risks in Web App Off-scope Navigation (#747)

OK that makes more sense. But would it still be possible for developers to ask for * (the whole URL space) to be `stay_in_app`? I think that's what a lot of apps are going to want (e.g., social media apps that want to open articles within the app, rather than going to a web browser).

> what I believe many users want (doing their web browsing in their choice of fully featured web browser, rather than a dozen different apps with simplified read-only URL bars)

I totally agree, as a user. I'm sick of apps keeping me in a tiny web browser within the app instead of opening my real browser. But, ultimately, I think we've struck the right balance between users and developers, because:

a) Developers have control over the default behaviour (i.e., the left click). If a developer wanted to keep you in the app, they could anyway by loading the page in an iframe. This just makes the experience more consistent, and gives the user better control (e.g., the user agent can always give the user controls to access the URL and ping out to a real browser),
b) Users have ultimate control. A middle-click or right-click-open-in-tab would open in a real browser. And the URL bar gives control.

I think we'd be going backwards if we prevented developers from being able to keep users inside the app by default.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/747#issuecomment-635245825

Received on Thursday, 28 May 2020 10:04:44 UTC