Re: [w3ctag/design-reviews] Window Controls Overlay for Installed Desktop Web Apps (#481)

@atanassov, impersonation of the browser is indeed a concern to be taken seriously.

In the issue mentioned above by @amandabaker, one suggested a frameless media feature that would allow total customization of window controls with HTML and CSS, while providing security enhancement.

In fact, impersonation of the browser can potentially be found in three browser features:

- Fullscreen Mode
- Picture-In-Picture for arbitrary content ([chromium feature](https://chromestatus.com/feature/4844605453369344))
- Windows control overlays (this proposal)

It indicates that it is not sufficient to rely on visual cues in the UI for security features. The thing to note is that a malicious website may not need to be pixel perfect to abuse users, as they primarily exploit their inattention. Therefore, a window controls overlay does not offer more security than custom window controls designed from scratch in HTML and CSS.

The main security issue is indeed the potential misuse of iframes and portals, allowing the impersonation of the browser by a malicious website acting as a middleman spying onto the users. That's why one is suggesting several security features for the frameless media feature that one is suggesting:

**Security model for frameless media feature**

1. The frameless media feature would use the "[Trusted Web Activity](https://blog.chromium.org/2019/02/introducing-trusted-web-activity-for.html)" security model, and by default, it would disallow the use of third-party domains in iframes and web portals, making it impossible to impersonate the browser into a webpage. Third-party domains in iframes and portals could be allowed only when the hosting page is localhost.
2. At load time, the browser would check the presence of the frameless media query into the active stylesheet as well as the visibility of the custom window controls into DOM. If the controls are not available, the browser would fall back to the default browser display mode, or to the "[display-override](https://chromestatus.com/features/5728570678706176)" mode.

This way, the frameless webpage would not depend on the attention of the user to visual cues into the UI in order to be secure and would prevent malicious websites to block the user into the page with no window controls.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/481#issuecomment-806446263

Received on Thursday, 25 March 2021 08:00:11 UTC