Web App Manifest

From MgmtWiki
Revision as of 09:05, 15 May 2019 by Tom (talk | contribs) (Solutions)

Jump to: navigation, search

Full Title and Meme

A structure that can be linked to by a web page to enable the browser to create a link to the Web App that looks like a Native App.

Context

  • The day when a personal computer was for running application for the user is long gone, never to return.
  • Today a personal computer depends on cloud based service for nearly all of its functionality.
  • Web Site security is becoming widely known as Cyber-Security, probably because that sounds more important somehow.
  • This page will only consider the use of a trusted User Agent, typically a web browser from a well-known and trusted vendor.
  • For the case of the user allowing a Native App to be installed on their personal device, see the page Native App Security.

Problems

  • After 20 years of web based attacks on users, security protection is still dependent on the education of users, who are known to be gullible. This is a 2018-12 report from the NSS[1]
Education is a key component of protection against SEM [socially engineered malware] and phishing attacks. Users who are able to identify socially engineered attacks rely less on technology for protection against such attacks. NSS Labs recommends supplementing browser protection with user education to protect against attacks that bypass browser protections.
  • Secure Web Sites using SSL (HTTPS:// scheme) still allow insecure content to be loaded. On 2017-10-27 it was estimated that 2.4% of sites downloaded insecure content. On 2019-05-08 the Chrome browser team (then at version 74) announced (on blink-dev) that they finally intend "to block insecurely-delivered downloads initiated from secure contexts if the download is for a high-risk file type", in spite that having been a requirement in section 4.6.5 of the current html spec. Which asserts: Warning! This algorithm is intended to mitigate security dangers involved in downloading files from untrusted sites, and user agents are strongly urged to follow it. It is unclear which future version of Chrome might have this feature enabled.

Solutions

These are proposed on 2019-05-08 for a future release:

  • The current spec of the Web App Manifest is available on GitHub.
  • The Explainer does a good job of defining the purpose and scope of the manifest.
  • The Web Site exposes its name in a manner that allows the user to make a meaningful trust decision. See the page on Trusted Identifier and Web Site Identity for details.
  • Most browsers come with a feature that will evaluate any file downloaded to a computer based on a set of constantly updated filters installed in the cloud.
  • The Web App Manifest is required of a Progressive Web App among other features.

References

Organizational Support

  1. The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
  2. ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.
    1. NSSlabs, NSS Labs Announces Results of 2018 Web Browser Security Test. (2018-12-05) https://globenewswire.com/news-release/2018/12/05/1662619/0/en/NSS-Labs-Announces-Results-of-2018-Web-Browser-Security-Test.html
    Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Web_App_Manifest&oldid=5678"