Re: [w3ctag/design-reviews] TAG review for web app `scope_extensions` (Issue #875)

@torgo Discussed with @diekus and below are our thoughts. I'll organize the important parts and add to the explainer. Thanks for your feedback. 

* Storage and permissions models are unaffected by this proposal and should remain so. 
* In Chromium, there are 2 behaviors we are working on in the near term that will be able to influenced by scope_extensions. These are essentially UX treatments. 
   * Web app windows will not display out-of-scope UI when navigating within extended scope
   * Links to extended scope can cause the app window to launch

To prevent spoofing attacks, the implementation in Chromium will flash the web origin of the content in the window title bar after every top level navigation. The origin information will also be visible in the app's main menu. 

If the user is tricked into visiting or installing a malicious app that is spoofing my bank
* they can already do this without scope_extensions
* if the malicious app includes my bank's origin in scope_extensions but my bank does not validate the association, my bank's content will appear with out-of-scope UI, and won't share any storage or permissions regardless. This is no different that if the malicious app simple redirected to my bank's site. 

JavaScript events and queue data such as launchParams should not be shared with origins in extended scope.

To use scope_extensions, the owner of the app should either also directly own/control the listed origins in scope_extensions or monitor them closely if working by agreement with parties that own them. 

Browser security tools such as Microsoft Defender SmartScreen should still identify unsafe origins that are navigated to from the app window. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/875#issuecomment-1740122112
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/875/1740122112@github.com>