Add security consideration discouraging use of this spec in SPAs

[aaronpk]

tbd: "Due to the inability to securely attest to the first-partyness of a browser based application, it is NOT RECOMMENDED to use this application in a browser-based application."

[dteleguin]

Thinking out loud, would the hypothetic "SPA attestation" be possible in principle / make sense at all?

[aaronpk]

Thinking out loud, would the hypothetic "SPA attestation" be possible in principle / make sense at all?

Yes, Chrome has a proposal for the "Web Integrity API", but it has received a lot of pushback:

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

Safari already shipped Private Access Tokens which are similar:

https://developer.apple.com/news/?id=huqjyh7k