Re: RFC: Site Affiliation from Jochen Eisinger on 2017-04-21 (public-webappsec@w3.org from April 2017)

From: Jochen Eisinger <eisinger@google.com>
Date: Fri, 21 Apr 2017 17:57:24 +0000
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, John Wilander <wilander@apple.com>
Message-ID: <CALjhuicYX+iCG7bCO_p3hMj1kJ8RY9Q5B50hxGUyuZTTWWjK=A@mail.gmail.com>

Right, all involved sites would have to agree on the exact set of involved
sites.

On Fri, Apr 21, 2017 at 7:54 PM Daniel Veditz <dveditz@mozilla.com> wrote:

> On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger <eisinger@google.com>
> wrote:
>
>> Android allows for associating an app with one or more sites[1], and so
>> does iOS[2].
>>
>  [...]
>>
>
>> Adding this information to the web manifest, or as part of an origin
>> policy comes to mind.
>>
>
> If it's not a mutual opt-in by all sites involved then we're opening a
> huge hole. Asking the user isn't enough because users are easily fooled.
>
> -
> Dan Veditz
>
>

Received on Friday, 21 April 2017 17:58:14 UTC