fsebugoutzone.org:9999

       Post AXwZlAQWT7a94qLSsa by ondra@social.unextro.net
 (DIR) More posts by ondra@social.unextro.net
 (DIR) Post #AXv8ZEGdTKdbaoqN7o by diekus@toot.cafe
       2023-07-21T12:45:23Z
       
       0 likes, 0 repeats
       
       I&#39;m quite excited to finally show something I&#39;ve been working on. It&#39;s time to make distribution of apps (*whatever* you call them... PWAs, web apps) easier, *standard*, and integrated into the platform. I&#39;d appreciate feedback on the Web Install API 🌐https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/WebInstall/explainer.md
       
 (DIR) Post #AXv8ZFCQ0UrIU1sWBs by ondra@social.unextro.net
       2023-07-21T13:36:33Z
       
       0 likes, 0 repeats
       
       @diekus Interesting proposal! I&#39;m wondering how to prevent the kind of abuse that led to the removal of inline installation of Chrome extensions*, for example.I have yet to read the proposal thoroughly but haven&#39;t seen the abuse discussed in there?* https://blog.chromium.org/2018/06/improving-extension-transparency-for.html
       
 (DIR) Post #AXvAQ430IeJTCNE1Ng by diekus@toot.cafe
       2023-07-21T13:57:19Z
       
       0 likes, 0 repeats
       
       @ondra I do not have context of what those abuses looked like, but we&#39;re introducing 4 different security mechanisms that a site &amp; app would have to jump through to spam or install. &quot;**The user gesture, the new origin permission, the new manifest field and the final installation confirmation (current default behaviour in the browser before installing an app) work together to minimize the risk of origins spamming the user for unrequested installations**&quot;.
       
 (DIR) Post #AXvC6APV8JA937O7UG by diekus@toot.cafe
       2023-07-21T13:57:46Z
       
       0 likes, 0 repeats
       
       @ondra If you have any additional context about those abuses for extensions on Chrome I&#39;m all ears.
       
 (DIR) Post #AXvC6BBMGNRZRXmL56 by ondra@social.unextro.net
       2023-07-21T14:16:09Z
       
       0 likes, 0 repeats
       
       @diekus Unfortunately, I don&#39;t have more information. Maybe @dotproto would know more?But I can imagine that it was possible to mislead people to install malicious extension by pretending it was necessary to proceed with some unrelated action. As the installation lacked most of the context otherwise available on the store (ratings, publisher etc.), people proceeded...
       
 (DIR) Post #AXvCEHj3omgM3RPLJA by ondra@social.unextro.net
       2023-07-21T14:17:37Z
       
       0 likes, 0 repeats
       
       @diekus If I create a blog post with top 5 sidebar Edge extensions and one of them would be my malicious LinkedIn on app.lnkd.tld, the reader would have to decide based on the information provided in the installation UI, I suppose? Mainly the domain from the install URL.
       
 (DIR) Post #AXvdDqGgbPxJet9JDc by dotproto@toot.cafe
       2023-07-21T19:20:00Z
       
       0 likes, 0 repeats
       
       @ondra @diekus that CWS change predated my time with Chrome, so I don&#39;t have full context. ATM I&#39;m not terribly confident in my own recollection. Maybe @jschuh can share more?
       
 (DIR) Post #AXwZlAQWT7a94qLSsa by ondra@social.unextro.net
       2023-07-22T06:15:50Z
       
       0 likes, 0 repeats
       
       @jschuh @diekus There are already some privileges granted only to installed apps (hiding address bar, share target etc.) Typical PWA installation flow assumes the user is already familiar with the webapp but this proposal changes it and the installation UI will need to surface relevant trust signals. If a user misses the installation URL during that, they might never see it again, for example.@dotproto
       
 (DIR) Post #AXwZnEjPR2kF0UAM5Y by ondra@social.unextro.net
       2023-07-22T06:16:23Z
       
       0 likes, 0 repeats
       
       @jschuh @diekus One danger is that apps with high risk of being phishing targets (e.g. banking, social networks, package delivery) would prevent installation from any other sources as a precaution. The worst outcome would then be that browsers would ship with a predefined set of trusted install source(s) (default app store). In a way replicating the current situation around allowing alternative mobile OS appstores which had to be enforced legislatively after years of worth of harm.@dotproto
       
 (DIR) Post #AXxAm2Htua9yQaad8K by ondra@social.unextro.net
       2023-07-22T13:10:43Z
       
       0 likes, 0 repeats
       
       @jschuh I&#39;m well aware of your far superior knowledge in this space, believe me. :) I was just trying to add my two cents and thought that the current and potential future privileges might still be worth a try for malicious actors and the inline installation was the one example I&#39;m familiar with. I don&#39;t see how users will be able to verify the app being installed is the one the page claims is going to install. But it seems that people who know better don&#39;t share my worries.@diekus @dotproto