MSEdgeExplainers
MSEdgeExplainers copied to clipboard
[Web Install] Cross-origin installation phishing risk
(Issue raised by Nick Doty during W3C Breakout)
What is preventing an unvetted web app store from listing a malicious app for cross-origin installation that assumes the identity of a well-known app (gmail_s_.com)? What can the API do to mitigate opening up the surface for phishing attacks and preserve the security model of the web?