[Web Install] Cross-origin installation phishing risk

[akyereboah]

(Issue raised by Nick Doty during W3C Breakout)

What is preventing an unvetted web app store from listing a malicious app for cross-origin installation that assumes the identity of a well-known app (gmail_s_.com)? What can the API do to mitigate opening up the surface for phishing attacks and preserve the security model of the web?

[el1s7]

That's a valid issue, I think the API should make it more clear to the user from which website it is installing from and be better at asking permissions, for example:

• The browser should ask the user everytime when installing an app from the PWA appstore:

Do you want to install [App Name] from https://gmail_s_.com?
No	Yes

Also, this already prevents spam. The install_sources limitation (#754) is not really neccessary. A nefarious website cannot spam install multiple apps without the user specifically approving every single one, and they cannot spoof the URL from where an app is being installed from.

Besides that, users in the future will probably mostly use trusted PWA appstores which should implement checks against phishing such as checking if there are duplicate apps with same name/logo on the appstore, having a list of verified domain names for popular websites, and having a "report" functionality where users can report phishing and other problems.

[diekus]

The latest design scraps install_sources and requires a permission for an origin to be able to install apps, as well as new UX in background document installs that will state which origin is installing an app. Very similar to the prompt in the previous comment, I do believe it is mandatory that the UA shows the origin that invokes and the target app (and publisher) that is being asked to be installed.