Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can getInstalledRelatedApps be made to work in an iframe? #11

Open
bluepnume opened this issue Sep 28, 2019 · 4 comments
Open

Can getInstalledRelatedApps be made to work in an iframe? #11

bluepnume opened this issue Sep 28, 2019 · 4 comments

Comments

@bluepnume
Copy link

@bluepnume bluepnume commented Sep 28, 2019

At PayPal we have a use-case where we'd love to be able to launch our native app from our payment button, which currently lives in an iframe.

Being able to detect if the app is installed from our iframe would be greatly beneficial. But right now we get:

getInstalledRelatedApps() is only supported in top-level browsing contexts.

Can you consider allowing this? Or maybe adding an iframe flag to enable it, like there is for PaymentRequest with allowpaymentrequest?

Thanks!

@bluepnume bluepnume changed the title Can this be made to work in an iframe? Can getInstalledRelatedApps be made to work in an iframe? Sep 28, 2019
@rayankans

This comment has been minimized.

Copy link
Collaborator

@rayankans rayankans commented Oct 15, 2019

I can't think of any privacy/security reasons why that shouldn't be possible.

It seems that WebAppManifests can only be fetched for the top-level context though link.

@mgiuca, is there a reason why that was enforced, or can the algorithm be modified to take a context parameter?

@mgiuca

This comment has been minimized.

Copy link
Member

@mgiuca mgiuca commented Oct 17, 2019

I think that restriction was already in place when I took over.

I think in general the API was designed to be extremely conservative with what it allows, since it's essentially punching a (tiny) hole out of the web sandbox and providing info about the OS. We want to expose as little information as necessary, in as limited as possible contexts.

Allowing this inside an iframe: I don't know of a specific "attack vector" that would compromise privacy and/or security, but it's a bit scary to extend the API from "any site you visit can find out whether it has its native app installed" to "any site embedded in a site you visit can find out whether it has its native app installed", for example, allowing certain commonly embedded sites to access this information all the time as the user browses around the web.

I think it's sensible for this to be off by default, and to have a separate conversation about privacy if we want to enable this. I'm not qualified to comment on it.

@bluepnume

This comment has been minimized.

Copy link
Author

@bluepnume bluepnume commented Oct 23, 2019

Those are all very fair points 👍 please let me know if there's anything I can help clarify about our particular use-case, if that's helpful. In our case, this is less for tracking purposes, and more to decide "can we launch our checkout flow in our native app, or do we need to fall back to web". But I understand the general tracking concerns you have.

@yoavweiss

This comment has been minimized.

Copy link

@yoavweiss yoavweiss commented Nov 28, 2019

I'd be wary of allowing 3rd party iframes from having access to which apps are installed on my phone, as that can create less-than-ideal scenarios. For examples, many apps can associate themselves with adprovider.example (for a fee) which will give AdProvider's 3P iframes access to a lot of private information about the user (e.g. which appliances they purchased and installed an app for), as well as fingerprinting information persistent across top-level origins.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.