[Web Install] Cross-origin installation phishing risk

[akyereboah]

(Issue raised by Nick Doty during W3C Breakout)

What is preventing an unvetted web app store from listing a malicious app for cross-origin installation that assumes the identity of a well-known app (gmail_s_.com)? What can the API do to mitigate opening up the surface for phishing attacks and preserve the security model of the web?