-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Web Install] Cross-origin installation phishing risk #774
Comments
That's a valid issue, I think the API should make it more clear to the user from which website it is installing from and be better at asking permissions, for example:
Also, this already prevents spam. The Besides that, users in the future will probably mostly use trusted PWA appstores which should implement checks against phishing such as checking if there are duplicate apps with same name/logo on the appstore, having a list of verified domain names for popular websites, and having a "report" functionality where users can report phishing and other problems. |
(Issue raised by Nick Doty during W3C Breakout)
What is preventing an unvetted web app store from listing a malicious app for cross-origin installation that assumes the identity of a well-known app (gmail_s_.com)? What can the API do to mitigate opening up the surface for phishing attacks and preserve the security model of the web?
The text was updated successfully, but these errors were encountered: