get-installed-related-apps icon indicating copy to clipboard operation
get-installed-related-apps copied to clipboard

Published 20 hours ago verified publisher icon WICG

Can getInstalledRelatedApps be made to work in an iframe?

Open bluepnume opened this issue 5 years ago • 6 comments

At PayPal we have a use-case where we'd love to be able to launch our native app from our payment button, which currently lives in an iframe.

Being able to detect if the app is installed from our iframe would be greatly beneficial. But right now we get:

getInstalledRelatedApps() is only supported in top-level browsing contexts.

Can you consider allowing this? Or maybe adding an iframe flag to enable it, like there is for PaymentRequest with allowpaymentrequest?

Thanks!

bluepnume avatar Sep 28 '19 18:09 bluepnume

I can't think of any privacy/security reasons why that shouldn't be possible.

It seems that WebAppManifests can only be fetched for the top-level context though link.

@mgiuca, is there a reason why that was enforced, or can the algorithm be modified to take a context parameter?

rayankans avatar Oct 15 '19 11:10 rayankans

I think that restriction was already in place when I took over.

I think in general the API was designed to be extremely conservative with what it allows, since it's essentially punching a (tiny) hole out of the web sandbox and providing info about the OS. We want to expose as little information as necessary, in as limited as possible contexts.

Allowing this inside an iframe: I don't know of a specific "attack vector" that would compromise privacy and/or security, but it's a bit scary to extend the API from "any site you visit can find out whether it has its native app installed" to "any site embedded in a site you visit can find out whether it has its native app installed", for example, allowing certain commonly embedded sites to access this information all the time as the user browses around the web.

I think it's sensible for this to be off by default, and to have a separate conversation about privacy if we want to enable this. I'm not qualified to comment on it.

mgiuca avatar Oct 17 '19 01:10 mgiuca

Those are all very fair points 👍 please let me know if there's anything I can help clarify about our particular use-case, if that's helpful. In our case, this is less for tracking purposes, and more to decide "can we launch our checkout flow in our native app, or do we need to fall back to web". But I understand the general tracking concerns you have.

bluepnume avatar Oct 23 '19 18:10 bluepnume

I'd be wary of allowing 3rd party iframes from having access to which apps are installed on my phone, as that can create less-than-ideal scenarios. For examples, many apps can associate themselves with adprovider.example (for a fee) which will give AdProvider's 3P iframes access to a lot of private information about the user (e.g. which appliances they purchased and installed an app for), as well as fingerprinting information persistent across top-level origins.

yoavweiss avatar Nov 28 '19 14:11 yoavweiss

Hi all, have there been any more thoughts or updates on this one? Specifically for apps hoping to run getInstalledRelatedApps from iframes for non-tracking purposes?

bluepnume avatar Dec 08 '20 02:12 bluepnume

Hi, there haven't been any updates yet. This is currently blocked on #17 and the concerns raised in @yoavweiss' comment.

rayankans avatar Dec 08 '20 15:12 rayankans