Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security considerations of TitleBarCustomization #229

Closed
camillelamy opened this issue Mar 13, 2020 · 6 comments
Closed

Security considerations of TitleBarCustomization #229

camillelamy opened this issue Mar 13, 2020 · 6 comments
Assignees
@amandabaker

Comments

@camillelamy
Copy link

Hi,

As part of our new Chrome process to review blink intents and TAG reviews for security and privacy considerations, we have some security concerns regarding this explainer:
TitleBarCustomization

In particular, the explainer mentions the risks of spoofing and it's not clear to us how this risk would be mitigated.

Thanks!
@amandabaker amandabaker self-assigned this Mar 13, 2020
@amandabaker
Copy link
Member

Direct link to Security section for convenience.

Currently PWAs show the origin text to ensure that users get the opportunity to verify that the origin matches their expectations for the app that they are opening. We plan to keep this as part of the caption/window controls overlay.

In an RTL configured browser, we will ensure that there is sufficient padding to the right of the origin text so that the web content cannot spoof the origin by visually appending it with a recognized origin, creating the appearance of a trusted origin.

That said, what are the specific concerns? Is it that after the origin text is hidden, a malicious PWA could place a spoofed origin in that place? Is it an issue with the RTL situation mentioned above? Or something else entirely?

@kenchris
Copy link
Contributor

Couldn't an app mimic the whole UI of Edge or Chrome, including a semi working address bar where it will show a real trusted url? It might not be possible to mimic that 100% but surely close enough that some will fall for it.

There probably needs to be some warning to the user if the UI in the title bar area changes radically, over say a reload.

@aarongustafson
Copy link
Member

Couldn't an app mimic the whole UI of Edge or Chrome, including a semi working address bar where it will show a real trusted url? It might not be possible to mimic that 100% but surely close enough that some will fall for it.

I agree this could be an issue, but it’s an issue that also exists with standalone, right?

@kenchris
Copy link
Contributor

Less so as the toolbar will always look different than that of Chrome/Edge.

This was also a big concern with requestFullscreen which is why it normally shows an overlay indicating that the app entered fullscreen.

Anyway some discussion around this in the explainer would be nice

@kenchris kenchris mentioned this issue Mar 18, 2020
Closed
1 task
@amandabaker
Copy link
Member

@kenchris The browser wouldn't be able to mimic the whole UI of Edge or Chrome since there are components in the overlay that do not exist in the browser chrome:

  • Web app menu button (always visible)
  • Origin text (transient, visible at launch)

Also, how is this different from the fullscreen display mode on mobile which can mimic both the system status bar of the device and the browser chrome?

@michaelwasserman michaelwasserman mentioned this issue Apr 28, 2020
Closed
@amandabaker amandabaker mentioned this issue Jul 10, 2020
Open
@amandabaker
Copy link
Member

Transferring conversation to new repo: WICG/window-controls-overlay#5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amandabaker amandabaker

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aarongustafson @kenchris @amandabaker @camillelamy