- From: Lu <notifications@github.com>
- Date: Thu, 25 Jan 2024 17:15:02 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 26 January 2024 01:15:09 UTC
Is the concern that https://siteb.com can spoof https://sitea.com by using the same app id? App IDs as described [here](https://github.com/philloooo/pwa-unique-id/blob/main/explainer.md) and implemented in Chromium on desktop platforms are tied to app origin. * Web apps are served over https to be installable. * App ID is a function of the start_url origin, which must be the same origin as the document pointing to the web app manifest. For an app from https://site-a.com to be installed with the same App ID as https://site-b.com, it would need to appear to the UA to have originated from https://site-b.com. Another possibility is that https://site-a.com changes ownership without the participating content origin's owner noticing. I think it's possible for 2 separate apps from the same origin to claim the same app ID (start_url origin + specified ID) but we can understand this to mean there is only 1 app. Only one should be installable at a time. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/875#issuecomment-1911254965 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/875/1911254965@github.com>
Received on Friday, 26 January 2024 01:15:09 UTC