[paulryanrogers]

How could this be stopped? Blocking images or rendering that mimics a real URL bar would be challenging.

Perhaps the PWA forces an overlay of the real apex domain at the top or in a top corner?

[amadeuspagel]

When installing a PWA, check whether URL and title match and warn the the user otherwise.

For most PWAs, the title is simply the apex domain without the TLD with some kind of capitalization. There are a few slightly more complex cases, such as Google Maps (google.com/maps) and YouTube Music (music.youtube.com). Even in these cases, there is an obvious relationship between URL and title.

[johnnypangs]

I think that it’s pretty hard to stop with the current state of PWA installation.

You could try the manifest data, (the data for the PWA app) tied more to the html and dns. Making it harder to impersonate other sites.

You could also go a more extreme route and have something like PWA app signing like other kinds of apps.