[nicoburns]

I think you'll only get access to this API if the user has explicitly installed your app as a PWA, not just when visiting it as a webpage.

[gildas]

And then a shady company offers to buy the owner's website...

[tshaddox]

That’s a real problem, of course, but it seems fairly equivalent to any native app you install that can update itself or otherwise make a network request to obtain instructions.

[sneak]

Native apps that autoselfupdate have RCE vulnerabilities by definition and should be considered remote access malware already, before the developer release keys are compromised.

I am the reason Signal desktop now has a preference to opt out of autoupdate.

[hulitu]

"It won't happen to me."

[gildas]

I agree with you. On the other hand, in the case of a native application, we can hope that the antivirus removes it. I hope that Microsoft has planned to update Defender accordingly.

[postalrat]

Unlike the native app you probably won't have to worry about web page encrypted your files and asking a ransom.

[bentcorner]

For now

[int_19h]

JavaScript malware has been a thing for a while now, and antiviruses have been targeting it accordingly.

[gildas]

It's not necessarily a JavaScript malware. A pure HTML page with a <form> tag could suffice to steal credentials.

[jb_s]

XSS will mean that attackers control browser UI, that's kind of bad

[hulitu]

Bad ? I thought that was a feature. "Want to change your browser behaviour ? Just put this CSS in user.js".