search

MicrosoftEdge / MSEdgeExplainers

Home for explainer documents originated by the Microsoft Edge team
Creative Commons Attribution 4.0 International
1.28k stars 199 forks source link

[Web Install] Options for declaring `install_source`s #785

Open amandabaker opened 2 months ago

amandabaker commented 2 months ago

We've been discussing changing the shape of install sources to support blocking specific origins. Below is a comparison of the current proposal against 3 new options.

Current proposal

Allow specific sources and block all others, or allow all. Does not permit denying only a subset of origins to install an app.

// 1. Allow all x-origin installs:
"allow_all_install_sources": true,

// 2. Block all x-origin installs:
"allow_all_install_sources": false,

// 3. Allow some x-origin installs:
"install_sources": [ 
  {"origin": "appstore.com"},
  {"origin": "differentappstore.com"}
],
"allow_all_install_sources": false,

New Options

The following options enable all the following scenarios:

  1. allow all x-origin installs for a web app
  2. deny all x-origin installs for a web app
  3. allow only a subset of origins to install an app
  4. deny only a subset of origins to install an app

Option 1

Use a single install_sources array to capture both allowed and blocked install sources.

// 1. Allow all x-origin installs:
"allow_all_install_sources": true,

// 2. Block all x-origin installs:
"allow_all_install_sources": false,

// 3. Allow some x-origin installs with the "allow" action:
"install_sources": [ 
  { "origin": "appstore.com", "action": "allow" },
  { "origin": "differentappstore.com", "action": "allow" }
],
"allow_all_install_sources": false,

// 4. Block some x-origin installs with the "deny" action:
"install_sources": [ 
  { "origin": "appstore.com", "action": "deny" },
  { "origin": "differentappstore.com", "action": "deny" }
],
"allow_all_install_sources": true

Option 2

Use separate allowed_install_sources and blocked_install_sources arrays:

// 1. Allow all x-origin installs:
"allow_all_install_sources": true,

// 2. Block all x-origin installs:
"allow_all_install_sources": false,

// 3. Allow some x-origin installs:
"allowed_install_sources": [
  "appstore.com",
  "differentappstore.com"
],
"allow_all_install_sources": false,

// 4. Or block some x-origin installs:
"blocked_install_sources": [
  "appstore.com",
  "differentappstore.com"
],
"allow_all_install_sources": true

Option 3

Use a single install_sources member to capture all the web install related info:

// 1. Allow all x-origin installs:
"install_sources": {
  "allow_all_sources": true,
}

// 2. Block all x-origin installs:
"install_sources": {
  "allow_all_sources": false,
}

// 3. Allow some x-origin installs:
"install_sources": {
  "action": "allow",
  "sources": [
    "appstore.com",
    "differentappstore.com"
  ],
  "allow_all_sources": false
}

// 4. Or block some x-origin installs:
"install_sources": {
  "action": "deny",
  "sources": [
    "appstore.com",
    "differentappstore.com"
  ],
  "allow_all_sources": true
}

cc @diekus @HowardWolosky @Kbhlee2121