- Functionality: Handles the user interface and logic related to Progressive Web App (PWA) installation prompts and identity updates. This includes displaying information about the app being installed (name, origin, icon) and confirming identity changes.
- Key Logic: Triggering the install prompt (
beforeinstallpromptevent), displaying the install UI (ambient badge, menu item, install dialog), fetching manifest data, handling user acceptance/cancellation, managing identity update confirmations. TheWebAppInstallDialogDelegatehandles user interactions and dialog lifecycle for the desktop install prompt. - Core Files:
chrome/browser/ui/views/web_apps/: Contains UI views for installation and identity updates.web_app_install_dialog_delegate.cc: Desktop install dialog delegate implementation.web_app_identity_update_confirmation_view.cc: Identity update dialog.pwa_confirmation_bubble_view.cc: Another potential install/confirmation bubble.
chrome/browser/web_applications/: Core PWA installation and management logic.web_app_install_manager.cc: Manages the installation process.web_app_icon_manager.cc: Manages icons.
components/webapps/browser/installable/: Logic for determining installability.- Platform-specific UI code (e.g., Android install prompts).
- UI Spoofing/Origin Confusion (Install Prompts): The install prompt failing to correctly or consistently display the origin of the PWA being installed, or allowing the prompt to be displayed over unrelated origins, potentially tricking users into installing malicious PWAs. The
WebAppInstallDialogDelegateincludes checks likeOnOcclusionStateChangedto mitigate spoofing, such as by picture-in-picture windows.- VRP Pattern (Overlaying Other Origins): PWA install prompt initiated from one origin could remain visible after navigation or be displayed over a different origin (e.g., via
window.open), leading to user confusion about which site is requesting installation. (VRP2.txt#6886, #13834 - involves overlaying). Android-specific overlay issues (VRP2.txt#7452). - VRP Pattern (Incorrect Origin Display): Potential flaws in how the origin/name/icon are fetched from the manifest and displayed in the prompt UI (
WebAppInstallDialogDelegate, platform equivalents).
- VRP Pattern (Overlaying Other Origins): PWA install prompt initiated from one origin could remain visible after navigation or be displayed over a different origin (e.g., via
- UI Spoofing (Identity Update): The identity update confirmation dialog (
WebAppIdentityUpdateConfirmationView) could be spoofed, misleading users about accepted changes (icons, titles). - Bypassing User Confirmation: Flaws allowing installation or identity updates without proper user interaction or consent. The
WebAppInstallDialogDelegatehandles user acceptance (OnAccept) and cancellation (OnCancel,OnClose). - Data Leakage: Sensitive information related to the web app's identity, manifest, or installation state being leaked.
- Race Conditions: Issues during the asynchronous process of checking installability, fetching manifests/icons, showing prompts, and handling user interaction. Race conditions during identity updates interacting with
WebAppInstallManagerlifecycle (OnWebAppInstallManagerDestroyed).
- Install Prompt Placement & Context: How is the install prompt anchored or associated with the initiating tab/window? Can this association be broken or manipulated via navigation, popups, or window manipulation? (VRP2.txt#6886, #13834).
- Origin Verification: How is the origin displayed in the install prompt determined? Is it always based on the manifest's scope or start_url, or can the initiating context influence it incorrectly?
- Identity Update Confirmation UI: Review the layout and data display in
WebAppIdentityUpdateConfirmationViewfor potential spoofing vectors. How are old vs. new icons/titles presented? - Interaction with Uninstall Flow: Analyze the interaction between the identity update cancellation and the uninstall dialog (
WebAppUninstallDialogView,OnWebAppUninstallScheduled). Can this flow be manipulated? - Manifest Parsing: Ensure secure parsing of the web app manifest, especially fields related to identity (name, icons, scope, start_url).
WebAppInstallDialogDelegate: (chrome/browser/ui/views/web_apps/web_app_install_dialog_delegate.cc) Implements the delegate for the desktop install dialog. Handles user actions (OnAccept,OnCancel,OnClose) and includes mitigations against UI spoofing like checking for occlusion by a picture-in-picture window (OnOcclusionStateChanged).WebAppInstallDialogView/PwaConfirmationBubbleView: Desktop UI for installation prompts. Check origin display logic and interaction with window management.- Android PWA Install UI (Code likely in
chrome/android/java/): Needs review for similar origin display and overlay issues (VRP2.txt#7452). WebAppIdentityUpdateConfirmationView: Handles identity update dialog. Check UI construction,OnDialogAccepted,Cancel,OnWebAppUninstallScheduled.WebAppInstallManager: Core install logic. Check manifest fetching/parsing and interaction with UI prompts.InstallableManager: Checks if a site meets PWA install criteria.
- Install Prompt Overlay Robustness: Thoroughly test scenarios where install prompts (both desktop and Android) might overlay unrelated origins after navigations, redirects, or popup opening (VRP2.txt#6886, #13834, #7452). Ensure prompts are dismissed reliably when the initiating context changes inappropriately.
- Origin Display Accuracy: Verify that the origin displayed in install prompts accurately reflects the PWA being installed, based on manifest data, under all conditions.
- Identity Update UI Spoofing: Analyze the layout and information display of the identity update dialog for potential spoofing.
- User Consent Checks: Ensure installation and identity updates cannot proceed without clear, unambiguous user consent obtained through the correct, unobscured UI.
- VRP2.txt#6886: Security: PWA Install prompt can be overlaid over other origins.
- VRP2.txt#13834: Security: (Android) PWA Install prompt can be overlaid over other origins.
- VRP2.txt#7452: In PWA Installation Dialog Hide Origin Using Window (Related to overlay/spoofing).
(Note: Focus is on the UI prompts for installation and identity updates. Core PWA logic is broader.)