search

MicrosoftEdge / MSEdgeExplainers

Home for explainer documents originated by the Microsoft Edge team
Creative Commons Attribution 4.0 International
1.29k stars 205 forks source link

[Web Install] `navigator.isInstalled(url)` #681

Closed diekus closed 10 months ago

diekus commented 1 year ago

If there is an inquire field in the manifest file's install_sources, there should be a method that allows an origin to query this information. Would a navigator.isInstalled(url) method be a good way of querying this, ONLY if the origin is allowed to do so as stated in the PWA's manifest file?

https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/WebInstall/explainer.md#privacy-and-security-considerations

cc @amandabaker @HowardWolosky @dmurph

dmurph commented 1 year ago

that seems fine, however I would change url to manifest_id.

jonathanKingston commented 11 months ago

The issue here is a 'store' would be able to uniquely fingerprint a user by querying for a bunch of permissive apps; I don't think rate limiting is an adequate protection against it either.

'store' really could be any website on the web and we then have a cross site signal that can't easily be cleared by the user (nor would be obvious it's a tracking vector).

I think there are three use-cases here:

  1. App stores
    • I think this could be resolved by asking users if they want an app store perhaps? (browsers could pre-bake in their own preferred store)
  2. Websites owned by the App
    • This seems like the 'Related Website Sets' problem on a slightly smaller scale.
    • I think this is a complex problem that differing parties could collude and track users unknowingly.
    • I would suggest changing the wording to allow for the UA to decide if the site can query and then lean on the other work to answer if we can resolve that privacy concern (most browsers currently oppose though).
  3. Websites wanting to enhance behaviours if an app is installed (Click to Zoom etc)
    • Could this be addressed by the web share api?

An open question is to reverse this default during dev/origin trial to experiment what is the best course of action while the feature gets traction among developers.

I think this line should be removed, you'd be allowing all websites to query all installed apps even outside of cases where they're colluding to track users.

If the browser has an active 'Do Not Track' setting, the inquire field is ignored and installation origins will not be allowed to know if that application is installed.

I think this probably could be broadened to suggest the UA can decide when to honour (eg: DNT, GPC, private browsing mode or privacy opinionated browsers)

diekus commented 10 months ago

@jonathanKingston the shape of the API removes the isInstalled method. The new proposal has a getRelatedApps that returns apps installed from the installation domain. This is not persistent over cache clearing and behaves similar to the partitioning history proposal for visited links.