Re: [w3ctag/design-reviews] TAG review for web app `scope_extensions` (Issue #875) from Lu on 2023-10-10 (public-webapps-github@w3.org from October 2023)

From: Lu <notifications@github.com>
Date: Tue, 10 Oct 2023 15:30:10 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/875/1756356220@github.com>

The [apple-app-site-association](https://developer.apple.com/documentation/xcode/supporting-associated-domains) file used by Universal Links references apps by an appID string of the format `<Application Identifier Prefix>.<Bundle Identifier>`. [1] I don't see usage of a cryptographic hash. Please correct me here if I'm missing something.

assetlinks.json, used by Android App Links, refers to apps by an app id and SHA256 fingerprints of the app's signing certificate. [2]

Use of a [unique app id](https://github.com/philloooo/pwa-unique-id/blob/main/explainer.md) [3] should be sufficient evidence that the added origins are agreeing to being embedded in that uniquely identified web app. In the scenario where the app is signed or delivered as an immutable package, use of a cryptographic hash would be useful to further specify that the association is only valid when the app is unchanged. Being able to specify that the app remain unchanged doesn't seem like a useful feature for web apps with frequently changing content served through the web.

One scenario we should consider: if the web app is taken over by another party which does not have access to the original signing certificate, they would be unable to change the app *and* produce cryptographic evidence matching the original - thus the origin association would become invalid.

The dominant method of delivery of web apps is over the web and managed by a browser without signing or packaging/bundling. Referencing web apps by unique app id is an acceptable solution that doesn't significantly complicate the steps developers need to take to set up the association.

To mitigate app takeover issue (where app/ app host ownership changes), we recommend that the web app and associated origins are owned and controlled by the same entity. Failing that, both the app and associated origins are advised to monitor ownership and condition of their counterparty.

[1] https://developer.apple.com/documentation/xcode/supporting-associated-domains
[2] https://developer.android.com/training/app-links/verify-android-applinks
[3] https://github.com/philloooo/pwa-unique-id/blob/main/explainer.md#requirements

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/875#issuecomment-1756356220
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/875/1756356220@github.com>

Received on Tuesday, 10 October 2023 22:30:15 UTC