Relation between web origins and native apps

[muodov]

This discussion was split from #36. Some prior discussions can be also found in #31

As WebViews close the gap between native and web contexts, the challenge of mapping the web security model keeps popping up.

On the web, same-origin policy is the main security boundary between different properties. There is currently no universal way to make a connection between web origins and native apps.

Often such relation exists, however, since many native apps have web counterparts and vice versa. In these cases it may be logical to treat those domains as "first-party" to the app - and give the app more access to the web content from those origins. This idea is implemented on Apple platforms in App-bound domains.

Another approach that has been brought up is to think of it as a permission model, similar to web extensions. An app may request a user permission to get access to certain web origins. In this case, it is not necessary that the app is made by the same developer as the website owner.

There are also special cases when an explicit permission or allowlist is not feasible: for example, for full-featured browsers: #41 or miniapps.

I suggest to discuss this topic and alternative solutions in this issue.

[muodov]

I think that while the app <-> origin mapping will not cancel the need of manual review, as there will be ways to bypass the technical requirements, there is value in discouraging this by making it difficult to implement.

For example, while the proxy approach from this argument is fairly easy to do when targeting a specific site, it is really hard to support on scale (at least from my several years of experience working on this at Surfly).

Some bridge between native and web security models will be needed, but I share the concern that app-bound domains may be too restrictive, and the permission-based model seems more flexible. In general, I think we could use some wisdom from the WebExtensions experience, as the problem seems similar.