You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the window manager looks for an appId in e.detail.options of an open window event and if an app with that ID is found in the database it creates a new standalone window and navigates it to the URL provided.
It should check that the URL is actually in the scope of the app before loading that URL in the standalone window because any web page could add an appId to the event detail but provide an arbitrary URL. This is a vector for phishing attacks.
The text was updated successfully, but these errors were encountered:
Currently the window manager looks for an appId in e.detail.options of an open window event and if an app with that ID is found in the database it creates a new standalone window and navigates it to the URL provided.
It should check that the URL is actually in the scope of the app before loading that URL in the standalone window because any web page could add an appId to the event detail but provide an arbitrary URL. This is a vector for phishing attacks.
The text was updated successfully, but these errors were encountered: