Re: [w3c/manifest] About update icon in web app manifest (Issue #1049) from Thomas Steiner on 2022-08-30 (public-webapps-github@w3.org from August 2022)

From: Thomas Steiner <notifications@github.com>
Date: Tue, 30 Aug 2022 02:53:59 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/1049/1231437356@github.com>

There is no developer-facing permission or anything. All you have to do is update your Web App Manifest. The browser then decides how to present potential changes to the user and lets them approve the change. For example, in Chromium, this behavior is still being iterated on. Track https://crbug.com/926083 for updates.

The core threat is:
- The user installs a harmless PWA like, say, a Tetris game.
- The PWA, after a couple of days, replaces its icon and name with, say, "Chase Bank", and the [Chase icon](https://www.chase.com/etc/designs/chase-ux/favicon-152.png).
- The user opens the turned-evil "Tetris" app, thinking it is the Chase Bank" app.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/1049#issuecomment-1231437356
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/manifest/issues/1049/1231437356@github.com>

Received on Tuesday, 30 August 2022 09:54:11 UTC