by theteapot on 6/13/24, 6:47 PM
What's the difference between this and just having a button on your website that redirects to a spoof microsoft login page?
by meiraleal on 6/13/24, 9:32 PM
That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.
by beardyw on 6/14/24, 1:55 PM
Surely you could pull this trick just by using full screen mode couldn't you? And all that requires is any user interaction.
by erikerikson on 6/13/24, 7:27 PM
Does this fool tools like 1Password?
by RcouF1uZ4gsC on 6/14/24, 1:07 PM
I don’t things is much worse than OAuth itself. You just have to make a login with Google/Facebook/X button.
Also the thing about the URL won’t have much practical difference for the user. The reason is that a lot of the flows can redirect through different domains. For example, when I sign in with Google into a third party site, I often see a redirect through the YouTube domain.
So users are not expecting full fidelity to the domain.
by kmf84 on 6/14/24, 4:50 PM
by toddmorey on 6/13/24, 10:08 PM
What makes this PWA specific rather than just “installable software”?
by difosfor on 6/13/24, 6:34 PM
I think you could do the same in native apps? So yeah, not much you can do about uncareful users. I suppose you could use something like an App store to provide some checks and a little more security. But then you're likely to run into monopolies again..
by dzhiurgis on 6/13/24, 10:27 PM
This reminds me OAuth screens where you are not sure why your password manager doesn’t work…