On Sunday, August 5, 2012 10:30:06 PM UTC-7, Lucas Adamski wrote: > Looking for feedback regarding > https://bugzilla.mozilla.org/show_bug.cgi?id=773060 > > > > The gist of the issue is that you could click on a link to non-app content > inside of a privileged or certified app that would navigate the top level > window outside of the app. Once outside the app, the user has no way of > knowing they are no longer interacting with the privileged app, and no way of > getting back. IMO this is bad for a few reasons: > > > > a) greater risk for phishing and other user confusion attacks - the user has > not concept they are no longer interacting with the app, and every indicator > would reassure them they are still in the app (click on home button or task > list, select the app, and you're back in the fake app UI). > > > > b) terrible user experience - the user has no way of getting back to the app > they came from without pulling up the task bar, killing the app, then > restarting it > > > > c) its a developer foot-gun. Developers would have to sanitize all content > they display to rewrite all links (to disable or intercept), otherwise one > stray link breaks the user experience. Other mobile platforms don't have > this problem. > > > > The mitigation I recommend would be to disable navigation of top level window > to non-app content, and instead show those links in an external browser or a > browser overlay (with a URL bar and close button that takes you back to the > app). There are probably other ways of solving this problem too, but the > properties key of a solution are that the user has some hint as to what they > are actually interacting with, and the developer keeps his toes. > > Lucas.
Hi Lucas, Responses below: (a) I think will be solved by https://github.com/mozilla-b2g/gaia/issues/2831. Desktop has already implemented this. Android is currently working on support for that as well. (b) Back in the day in desktop discussions, I think the conclusion we came to is that falls on the fault of the web developer if they make this mistake, not us. Also - A while back when we implemented a rule in desktop saying that "all links that go outside of the app origin content go to the browser" we received backlash from some of the app developers, as they wanted to be able to use off-origin authentication in their web application. So I guess I have this question - Can a web developer make use of off-origin authentication (e.g. google accounts, mozilla persona) in a packaged application? Or generally - would there ever be a need to support off-origin content within a web app such as auth mentioned before? One last note - In desktop/android (soon with Firefox OS support) as well we go to the browser with general untrusted web apps when a target=blank is clicked. Does that rule apply to packaged apps as well? Sincerely, Jason Smith _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
